When an antivirus scanner labels a legitimate file as a malware file, this is called a “false positive”. Firewalls and anti-phishing protections can also detect false positives at the network and browser level, respectively.
As annoying as it may be to get false positives, it’s better that your antivirus returns false positives than it is to miss malicious files. So, when your internet security software flags a file, there are a few things you can do to find out if the flagged file is legitimate or malicious, including:
- Using a search engine.
- Using a third-party malware database.
- Double-checking using another antivirus.
- Chatting with customer support/check your software’s knowledge base.
- Investigating the file on your device.
False positives are an unfortunate side effect of antivirus protection, but if your antivirus software is returning an annoying amount of false positives during scans, you may need to adjust your antivirus scan settings, or maybe even consider downloading a new antivirus.
What Are False Positives?
False positives happen when an antivirus program flags a secure piece of software as malware. While some antiviruses raise fewer false positives than others, no antivirus program is 100% immune to false positives.
Antivirus programs have a fairly broad set of criteria for deciding whether or not a file is safe. For instance, some antiviruses may flag third-party password managers because they generate executable files and write registry entries, which is very similar to what rootkits and cryptojackers do.
Some antiviruses may also raise false alarms on devices using third-party network drivers for filtering web traffic. Several virtual private networks (VPNs) offer this feature, and as a result, virus scanners may treat certain VPN programs as suspicious and block them from executing commands.
There are several different reasons why false positives occur, depending on the type of malware scanner that you’re using, as well as the type of file that’s flagged. Here are some of the common tools used by malware scanners, along with the reasons why they could return a false positive after a scan:
- Signature-based. Signature-based antiviruses cross-reference the files on your disk against a database of known malware files and flag/quarantine files that match the “signatures” of known malware. These signatures are a string of code, which could be included both in a legitimate program and in a malicious one.
- Heuristics. Heuristics-based antiviruses spot suspicious characteristics in new threats and modified versions of existing threats. If a certain percentage of any program’s source code matches anything that is labeled as a threat in the antivirus vendor’s heuristics database, it will be flagged as a possible threat. This allows antiviruses to catch new malware variants, but it can also result in false positives.
- Behavior analysis. Antiviruses with machine learning identify malware based on behavior (what the file does) rather than signature (what the file’s code looks like). This is especially helpful for detecting newer malware threats that aren’t in a database yet, but sometimes programs are flagged for behavior that is completely legitimate. Keyloggers, networking applications, product key finders, and other similar software are often flagged as malware because they act similarly to popular malware files.
- PUP blockers. Many adware and spyware blockers flag ad-supported software and bundleware. If the software you’re trying to download runs ads, offers to install other third-party programs, or tries to install a toolbar in your browser, there are high chances it’ll be flagged as a potentially unwanted program (PUP), even if it is safe and legitimate.
How to Know the Difference Between an Actual Virus and a False Positive
When your antivirus flags a file as malware, it usually won’t immediately delete it. You should be able to access the quarantined file by clicking the “Quarantine” button in your antivirus. This will show you what the file’s name is and it may also give you information about where the file was found on your disk. Using this information, there are several things you can do to try and determine whether your antivirus has quarantined a malware file or a useful file.
- Run a quick Google search. Start by finding additional details about the software, including reviews, community posts, and forums. If there are negative reviews about the software online, the software is quite possibly a virus. However, if there is no such evidence on the internet, your antivirus has likely raised a false alarm.
- Check your antivirus for updates. If your antivirus isn’t set to automatically update, you could be receiving false alarms for a program that has already been removed from your antivirus’s malware database. Once you update your antivirus, run the scan one more time.
- Cross-check using VirusTotal. Another excellent way to validate false positives is by heading to the VirusTotal website and uploading the file/program or providing a direct link to its online source. VirusTotal is a free resource that uses more than 70 antivirus engines (including many of the scanners on our top 10 antivirus software list) to scan any suspicious file. It benefits antivirus developers by helping them gather data about malware that’s still out there. If your flagged malware isn’t flagged by VirusTotal, it’s probably a false positive.
- Get rid of PUPs. If your antivirus is flagging programs that seem legitimate, you can either use your antivirus’s disk cleanup utility (I really like TotalAV’s junk file and PUP cleaner), or head over to ShouldIRemoveIt.com and download the free tool. This tool helps scan installed programs and suggests if they need to be uninstalled, highlighting each program by color (red means potentially risky applications and green means safe).
- Use the antivirus’s knowledge base/customer support. Visit the program’s official website and community forums to check if other users are facing similar problems. There are usually developers and IT people who can answer questions in these forums. You can also call, live chat, or email your antivirus’s support team. Norton 360 has one of the largest knowledge bases out of all antiviruses, as well as an excellent phone support and live chat team.
- Review the flagged files on your device. When an antivirus flags a suspicious program, it provides details about the file, including what type of malware it is. Ideally, when your antivirus detects a potentially dangerous file, you should get a notification, and clicking on the notification should redirect you to the source. But if this doesn’t happen, you can manually locate the file by doing the following on your Windows device:
- Open File Explorer (Windows + E).
- Select “This PC”.
- Locate the file using the Search bar or check under “Windows (C:) > Program Files” or “Program Files (x86)”.
- Right click on the file and select “Properties > Digital Signatures” to check its publisher. Files that carry digital signatures of well-known brands (Microsoft, Google, etc.) are usually safe. If you find some signatures from unknown entities, make sure to cross-check them on the internet.
What Should You Do If You Detect a False Positive?
If you’ve performed all of the steps above and are still convinced that your antivirus has raised a false positive, you should whitelist the file so that it’s no longer flagged during antivirus scans. Every antivirus is a little bit different, but the process should go something like this:
- Find the “Whitelist” sub-menu. Please note that different antiviruses may use various terminologies, such as “Allowed Lists”, “Exceptions”, or something similar. This could be found in the scanner window, in the quarantine folder, in the antivirus settings, or a few other locations, depending on your antivirus.
- You should be able to add the file that is showing up as a false positive to a list of whitelisted files. Depending on the antivirus vendor, you may be asked to add a direct path to the file, which would mean copy-pasting the file’s location from your File Explorer.
- Save the whitelist and restart the antivirus program.
- Run a quick scan to ensure the program/file is whitelisted.
In addition to this, you should also submit a sample to your antivirus vendor for re-analysis if you believe that some files and programs are incorrectly flagged.
You should also notify the false positive program’s developer that your antivirus is flagging their product as malware. You may need to share screenshots and upload the files in question so that the developers can identify the problem and release a patch to fix it.
Frequently Asked Questions about Antivirus False Positives
What are antivirus false positives?
A false positive occurs when an antivirus mistakenly labels a secure file as malware. There can be several reasons why different antivirus scanners treat different legitimate programs and files as threats, depending on whether the scanners are signature-based, heuristics-based, or use behavior analysis for malware detection.
Unfortunately, no antivirus program is immune to false positives. Still, based on my own test results, Norton returns very few false positives while still maintaining a 100% malware detection rate.
Why do antiviruses raise false positives?
Hackers are constantly developing new malware, and antivirus companies are in a constant race with hackers to develop methods of detection that can catch these new threats. Antivirus developers have created innovative scanning tools that detect and block innovative malware files, but no tool is perfect — and mistakes are bound to happen.
Advanced antivirus programs like Norton, McAfee, and Bitdefender all use a combination of signature-based scanning, heuristic analysis, and machine learning to detect malware files — they may occasionally flag a false positive, but they’re also at the forefront of malware detection, blocking zero-day threats that can sneak past built-in scanners like Windows Defender.
How to tell if your antivirus is identifying false positives or real viruses?
There are a few steps you can take when trying to determine if a flagged file is malware, such as updating your antivirus, contacting your antivirus’s customer support team, or doing a Google search to see what other people are saying about the file in question.
How to prevent an antivirus from flagging legitimate programs as false positives?
If you’re 100% sure that the file or program being flagged is safe, you should try “whitelisting” it from your antivirus’s settings. Depending on the vendor, the option may be called something different. Either in the settings, quarantine menu, or the scanner window, you should be able to locate the option that says “whitelist”, “exceptions”, “allowed lists”, or something similar. Once you find it, add the false positive to the list and click on save. You can then run a quick scan to make sure the false positive isn’t being flagged anymore.
If you’re using a buggy antivirus program that is constantly issuing false positives, it’s probably time to choose a better antivirus solution. All of the programs on our list of the top 10 antiviruses in 2022 are highly secure, have perfect or near-perfect malware detection rates, and return a minimal amount of false positives during scans.