When we install an antivirus on our computer, we do so with the intention that it is in charge of controlling the security of the PC, detecting any possible threat and eliminating it before it is too late. In addition to having gigantic databases, antiviruses use heuristic systems capable of analyzing the behavior of files and detecting never-before-seen malware. However, these intelligent analysis systems can detect threats where there are none and mark files that are actually trustworthy as dangerous. This is what is known as a false positive .
What is a false positive in an antivirus
As the name suggests, the false positive appears when an antivirus has considered that a legitimate and reliable file is a threat . And thus you have blocked, quarantined or deleted it.
All antiviruses are prone to generating more or less false positives, although it depends largely on the quality of its programming and on the heuristic-based scan engines. Some antivirus, such as Windows Defender, Avira or Kaspersky tend to offer users very few false positives as they have less strict heuristics systems , while Avast, AVG, Trend Micro or Panda generate a worrying number of false positives, according to the latest AV tests. -Comparatives, for being much more strict.
It is not bad that an antivirus detects a false positive, just as it is not good that it does not detect them. The security company should adjust the heuristics of its security programs so that it is strict enough to keep hidden threats out, but not so strict as to bore the user with fake threat alerts.
Causes that generate them
There are many causes of false positives . The most commons are:
- The use of compilers, compressors and packers commonly used by hackers. These packagers are used by developers to protect their software, but they are also used by hackers. For this reason, it is common for antivirus to detect executables that have used this type of tool as possible threats.
- Installers with advertising or sponsored programs can also be detected by security programs as bogus adware or PUPs.
- Programs that make changes to the system . As viruses usually modify system files (especially DLL libraries), if a program tries to modify them, even if it is reliable, it will be detected by heuristic systems for having a suspicious behavior and, therefore, reported as a false positive.
- The use of very strict heuristics . Antiviruses usually have several levels of heuristics. The more permissive, the less likely it is to detect a threat that is trying to sneak into the PC, although the stricter we configure it, the more false positives we will get.
- The hacking tools usually do long jump antivirus alarms, even if reliable programs that we are running us. The reason is simple: the security program does not know if we are executing them, or if they are part of a computer attack. And, when in doubt, better to block.
- Activators, key generators and unautherized software in general. This type of content very often has hidden threats. And either because it makes changes to system files, because it has been packaged using tools common to hackers, or because it actually hides malware, it almost always sets off security software alarms.
What are the dangers of a false positive?
Although normally a false positive protects us against a possible threat when the antivirus is not sure that it is something really reliable. However, sometimes these false positives can also be a problem for our computer.
The first thing to keep in mind is that, if an antivirus detects a possible threat in a file, we should not unlock it unless we are 100% sure that it is a reliable file. It may happen that we have downloaded a game or program from the Internet, illegally, and that our software has detected it as a threat. As much as they advise us to allow it, it is better not to do so, since we do not know if the hacker is trying to deceive us.
In addition to that, what can happen is that our security program detects programs that are trustworthy as possible threats, either because of their internal functioning or because there is a conflict with the digital signature of the program that sets off the alarms of the heuristic systems. . It has already happened in some cases with programs such as Ccleaner, IObit or uTorrent, which have been marked by some antivirus as threats.
Even, in the worst case, it may happen that a fault in the engine detects DLL files or executable files from programs or from Windows itself as suspicious. This has already happened on occasion, and the consequences are catastrophic, having, in the worst case, even reinstalling Windows from scratch. Fortunately, this type of problem is not very common.
How to deal with them
If our security program has blocked a file that we have downloaded from the Internet, an executable or a DLL library, the first thing we must do is ask ourselves, is it really reliable? If we’ve downloaded it from the developers’ website, or from their official GitHub repository, probably yes. Even so, before unlocking it, we must make sure 100% that it is indeed legit.
We can also resort to the use of second antivirus to have a second opinion about the security of the file. For example, we can send the file to be analyzed to VirusTotal to check, with more than 50 antivirus at the same time, if a file is really reliable. If several antiviruses detect the threat, it is that something is hidden.
How to avoid false positives
There are only two ways to avoid these false alert messages. The first of these is by making sure that we always download known and trustworthy software and files. The most common programs are usually always included in a white list by the antivirus so that the alarms do not go off with them.
And the second way is to reduce the sensitivity of heuristic analyzes. In the configuration of some of these programs (not all) we can find the possibility of reducing this sensitivity. The lower the sensitivity, the less false positives we will have, although, in return, we may be missing possible unknown threats. This setting must be used with great caution.