Antivirus and anti-malware apps fill an important need on our computers, but they’re not foolproof. More often than you’d think, they’re just plain wrong. Here’s what to do when you’re not sure whether a download has a virus.
There’s no exact science when it comes to figuring out if a file has a virus or is just being detected as a false positive, but today we’ll share a little background and some tips that will help you figure out whether a file really contains a virus or not.
What Is a False Positive Exactly?
A false positive is when your virus scanner detects a file as a virus, even when it really isn’t a virus, and then tries to quarantine or delete that file. If you’ve read about the recent McAfee fiasco, you’ll begin to see the problem—they released a virus definition update that detected internal Windows files as a false positive, deleted them, and then suddenly Windows couldn’t boot anymore. Antivirus software is not perfect.
Some virus scanners also employ an additional line of defense called heuristic analysis, which attempts to identify new forms of malware right away by scanning for smaller sections of code that might indicate some bad behavior, even if the virus has never been detected before. Unfortunately, because this method is not exact, it also will detect a lot of files as viruses incorrectly.
Check for False Positives
Whenever there’s a possibility that a file you’ve downloaded might contain a virus, the first thing you should do is upload it to online virus scanning service VirusTotal, which instantly scans the file against 40 different antivirus engines at the same time, and gives you the results.
You can use the VirusTotal Uploader to instantly scan any file via your right-click context menu. VirusTotal Uploader will upload any file you choose directly to the VirusTotal web site and run the scan without you having to hassle with annoying web upload forms. Even better, most of the time you don’t even have to wait for the file to upload, since before uploading, the app checks your file’s hash against their database, so if they’ve already checked that file, you’ll get instant results.
You’ll sometimes find that files are caught as viruses by just a single virus scanner out of the 40, which is a good sign that you’re dealing with a false positive from one of the more aggressive virus scanners. It should be noted that VirusTotal is not a replacement for using your favorite antivirus application, which offers real-time protection against a variety of attack vectors—but it is a strong supplement.
Ask the Developer
You’d be surprised to find out just how easy it is to get in touch with some developers. Other developers—who aren’t also sorting through hundreds of other tips emails every day—are probably even easier to get a hold of, and if they’re legit, they care a great deal about what antivirus apps are saying about their software and will do whatever it takes to help. Again, you shouldn’t necessarily trust everything said developer has to say, but if a developer is easy to contact, chances are they’re making legit apps. It’s the developers who are impossible to get a hold of that are a little more worrisome.
Use Your Judgment
If your antivirus software is telling you that a file contains a virus, you shouldn’t blindly assume that you’re dealing with a false positive; use that opportunity to ask yourself if you really need to install that application. If you do, make sure to check with VirusTotal first, make sure the download is from a reputable place, and then make that judgment call on your own.