The Anti-virus Times

Wednesday, July 3, 2024

Antivirus software developers are constantly updating their products and introducing new malware-detection and behaviour-analysis technologies. However, even the most sophisticated antiviruses sometimes falter and false positives occur. In this publication, we will look at the underlying causes and consequences of such errors and talk about how to minimise them.

What is a false positive?

An antivirus false positive is a situation when a legitimate program or a safe file is mistakenly identified as malicious. This may happen for different reasons, but the outcome is always the same: the user receives a threat warning even though the threat is not really there.

A false positive vs. a detection failure

Is there a way to achieve a perfect balance between a false positive (when an antivirus regards a safe file as a threat) and a detection failure—when an actual threat remains undetected? This dilemma makes antivirus software development and maintenance a challenging task that requires security technologies to constantly evolve. Doctor Web is constantly improving its threat detection routines to reduce the likelihood of both false positives and detection failures and ensure reliable and error-free protection from cyber threats.

About the antivirus scanner and how it works

After receiving a file that contains malicious code or a program that can harm a computer, Doctor Web's antivirus laboratory creates a unique signature for it and adds that signature to the virus database.

When examining a file on a computer, Dr.Web first determines whether the file can be accessed and used. If the file is unusable (corrupted, compressed or packed incorrectly), our engine won't examine it. Antiviruses from certain vendors will look for a matching signature anyway—if a match is found, the user will end up with a broken file being detected as a threat.

If the file appears to be healthy, the antivirus starts searching for known virus signatures. If there are no matches, the file is considered clean. This threat detection method is called signature-based analysis.

Heuristic analysis, on the other hand, enables the antivirus to expose malware by its less obvious properties. If the probability of malicious code being present in a specific file is above a certain score defined in the settings (for example, 50%), the antivirus regards the file as dangerous and will either block or delete it.

Heuristic analysis was designed to identify new threats. Errors causing false positives occur in situations when a file contains a code section or uses certain routines that are typical of malware. In other words, when the code of an examined file is similar to the code of a virus.

Behavioural analysis is yet another method for detecting malware. It allows the antivirus to identify threats, even if they are trying to hide by employing sophisticated detection evasion techniques: packers or crypters. Malware that mimics the actions of running programs—such as various installers—exposes itself by behaving suspiciously. If a program's actions are similar to malware activity, the behavioural analyser will block them.

Some applications may exhibit suspicious activity that may cause the antivirus to mistakenly identify them as a potential threat. For example, video games that rely on their own protection and anti-cheat tools can trigger a false positive by the behavioural analyser. A user can resolve an issue of this kind by contacting our support service.

Eliminating false positives

Is there a way to safely determine whether a file actually contains malicious code or is merely a false positive? Sending the file to the vendor's laboratory for analysis is a viable option. The antivirus laboratory will conduct a thorough examination of the submitted sample. If the detection is deemed a false positive, the antivirus will get updated to rule out the possibility of similar errors in the future.

You can report a suspected Dr.Web false positive via the special form on our website (the request category "False positive").