Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

VirusTotal tackles false positive malware detections plaguing antivirus and software vendors

Lucian Constantin | Feb. 13, 2015
VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs.

VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs.

False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection signature or algorithm used in an antivirus product.

VirusTotal, which scans suspicious files uploaded by users with products from 48 antivirus vendors, invited large software makers Tuesday to add metadata about their products' files to a new database maintained by the company.

If a file that's later uploaded by users to be scanned with VirusTotal is in that database, the scan report will display a "trusted source" alert. If any antivirus products flagged the file as malicious during the scan, their detections will be considered false positives and will not be counted toward the final detection score. Vendors of the products that flagged the file as malware will be notified so that they can correct the error.

Sometimes false positive detections have serious consequences, like the deletion of critical system files or the blocking of popular websites and when that happens, they are usually reported on technology news sites, blogs and tech support forums.

However, lower impact cases of wrongful detection occur all the time. They don't get the same visibility as the critical ones, but many users, including this reporter, have been in situations like this one:

They download a program from a legitimate source and attempt to install it, only to be stopped by an alert from their antivirus program saying it's potentially malicious. Trying to get a second opinion, they upload the file to VirusTotal and they get a report with detections by only a handful of antivirus engines.

Are those detections false positives? Or is the malware sample new and therefore detected only by a small number of antivirus products? It's hard to tell, and there are additional factors that further complicate things.

For example, some antivirus products share the same detection engine or malware signatures. This is the result of inter-vendor partnerships that regular users are often unaware of. So what appears as a malware detection by three separate products in VirusTotal could actually be the result of a single bad signature shared by all of them.

Relying on things like digital signatures to verify a file's authenticity is not sufficient either, because not all legitimate files are signed and there have been cases of malware programs being digitally signed with certificates stolen from legitimate developers.

False positives are also a headache for antivirus vendors and software developers, not just for users. In the case of bad detections that have a widespread impact, antivirus vendors will have to deal with a surge in technical support calls and even bad press.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.