VirusTotal tackles false positive malware detections plaguing antivirus and software vendors
- 13 February, 2015 02:25
VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs.
False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection signature or algorithm used in an antivirus product.
VirusTotal, which scans suspicious files uploaded by users with products from 48 antivirus vendors, invited large software makers Tuesday to add metadata about their products' files to a new database maintained by the company.
If a file that's later uploaded by users to be scanned with VirusTotal is in that database, the scan report will display a "trusted source" alert. If any antivirus products flagged the file as malicious during the scan, their detections will be considered false positives and will not be counted toward the final detection score. Vendors of the products that flagged the file as malware will be notified so that they can correct the error.
Sometimes false positive detections have serious consequences, like the deletion of critical system files or the blocking of popular websites and when that happens, they are usually reported on technology news sites, blogs and tech support forums.
However, lower impact cases of wrongful detection occur all the time. They don't get the same visibility as the critical ones, but many users, including this reporter, have been in situations like this one:
They download a program from a legitimate source and attempt to install it, only to be stopped by an alert from their antivirus program saying it's potentially malicious. Trying to get a second opinion, they upload the file to VirusTotal and they get a report with detections by only a handful of antivirus engines.
Are those detections false positives? Or is the malware sample new and therefore detected only by a small number of antivirus products? It's hard to tell, and there are additional factors that further complicate things.
For example, some antivirus products share the same detection engine or malware signatures. This is the result of inter-vendor partnerships that regular users are often unaware of. So what appears as a malware detection by three separate products in VirusTotal could actually be the result of a single bad signature shared by all of them.
Relying on things like digital signatures to verify a file's authenticity is not sufficient either, because not all legitimate files are signed and there have been cases of malware programs being digitally signed with certificates stolen from legitimate developers.
False positives are also a headache for antivirus vendors and software developers, not just for users. In the case of bad detections that have a widespread impact, antivirus vendors will have to deal with a surge in technical support calls and even bad press.
For software developers it can be stressful to track down the appropriate contacts at different antivirus firms spread around the globe and then to convince them to fix a false positive detection. Some developers might not even be aware for days or weeks that their products are wrongfully detected as malware, which can lead to loss of potential customers.
With VirusTotal's new trusted source feature, antivirus vendors can be notified even before the affected software maker learns of the problem.
So far, VirusTotal has worked with Microsoft to add metadata for the company's files to the database and the effort has already paid off.
In a single week, over 6,000 false positive detections have been identified, reported and fixed, said Emiliano Martinez, a software engineer at VirusTotal in a blog post. "We are looking to grow our collection of trusted software; if you happen to be a very large software development company you might want to contact us in order to share this data and help us mitigate the issue of false positives."