Over-vigilant security software sometimes flags harmless files as malware. Jonathan Parkyn explains what you can do to identify, prevent and report false positives
Scan the suspicious file using VirusTotal
No security software is 100-per-cent foolproof, so a second opinion is always useful, particularly if you’re not sure whether a download is genuinely malicious or not. VirusTotal (www.virustotal.com) doesn’t just give you a second opinion, it gives you more than 50, by running your file through multiple anti-virus engines, including big names such as Symantec, Bitdefender, Sophos, McAfee and Kaspersky. Best of all, this simple but powerful online tool is completely free and you don’t need to register with VirusTotal to use it.
Click the Choose File button to upload a suspicious file from your PC, then click ‘Scan it’ to see the results. Currently, the only limitation on a file is its size, which needs to be smaller than 128MB.
If you use Firefox, you can install VirusTotal’s add-on VTzilla (bit.ly/vtzilla365) to analyse downloads from your browser before they get anywhere near your PC. Just right-click a download link and choose ‘Scan with VirusTotal’ or click the toolbar button to scan the current page for malware.
Chrome users can install VTchromizer (bit.ly/vtchromizer365), which works in the same way.
Check a program using Should I Remove It
If a program you’ve already installed is causing problems with your security software – for example, because your firewall is blocking its access to the internet – you can check it for malware using Should I Remove It (www.shouldiremoveit.com). This handy free tool scans all your installed programs and ranks them in order of how dangerous they are. Any programs flagged red represent a potential security risk and should be removed immediately.
Click a program to see information about it, including its install size. The ‘What is it?’ button takes you to the Should I Remove It website where you’ll find a full description of the program and the number of other users who have removed it. The Uninstall button lets you remove the program from within Should I Remove It, rather than via the Windows Control Panel, which can often be very slow.
Search online threat databases
Many of the bigger security companies publish comprehensive databases of known malware that let you check your suspicious program against an up-to-date list of genuine threats. Of these, Symantec’s Security Response (www.symantec.com/security_response) is one of the biggest and easiest to browse. The page splits findings into Threats, Risks and Vulnerabilities – the Risks tab is where you’ll find potentially unwanted programs (PUPs), adware and misleading applications, while Threats covers the latest Trojans, ransomware and other nasties. Each category lists entries by date, with the most recently identified at the top, but you can also browse risks and threats by clicking the A-Z tab or by typing the name of your suspicious file into the search box.
Run the suspicious download in a sandbox
A great way to test a program you’re not sure about is to run it in a sandbox, which is a ring-fenced section of your hard drive where you can safely install and run applications in isolation without affecting the rest of your PC. Sandboxie (www.sandboxie.com) has been around for ages but remains the best tool of this type. It’s still free, too, though you’ll have to put up with a nagging message after 30 days unless you pay £14 for a licence.
Once you’ve installed Sandboxie, when you want to run a program you’ve downloaded, right-click the installation file, select Run Sandboxed and choose DefaultBox. If you decide you no longer want the program – or anything else – in your sandbox, right-click the Sandboxie icon in the notification area and select DefaultBox, then Delete Contents to wipe the slate clean.
Tweak your security settings
If your anti-virus software has quarantined a program you’ve downloaded, rather than merely provided a warning, it’s usually possible to unblock it. However, we wouldn’t recommend doing so because if there’s even a shred of doubt, you should leave the ‘infected’ file where it is and follow your security software provider’s official procedure for querying a potential false positive (see next tip). That way, you’ll know that the file has been verified by experts before you run it.
If, on the other hand, a program has installed without being flagged as unsafe by your anti-virus program but is now being blocked by your firewall, it may be safe to unblock it. First, get a second opinion on the software’s safety (see ‘Should I Remove It’ tip). The procedure for unblocking it will depend on the firewall you’re using. With Windows Firewall, for example, you need to open the Control Panel, click ‘System and Security’, then click ‘Allow a program through Windows Firewall’. On the next screen, click ‘Change settings’ and put a tick by the program you want to unblock. If the program isn’t listed, click ‘Allow another program’, then highlight the application and click Add.
Report the false positive to the security company
Security companies realise that falsely identifying malware is a pain for users and an even bigger pain for the legitimate software developers, so it’s in everyone’s interests to make sure wrongly blocked programs are identified and corrected as soon as possible. The best way to do this is to let your security software provider know about any programs you think have been incorrectly blocked. Some anti-virus programs allow you to do this from within the program itself – look for a ‘false positive’ or ‘send sample’ option when a program is blocked or quarantined.
Each security software company has its own reporting process. In Avira’s Free Antivirus, for example, you open the management console, click Quarantine on the left, then highlight the suspicious program in the list and click the envelope icon in the top toolbar. Fill in the form and click OK to send the file to the company for analysis.
Alternatively, you can simply email the company or see if there’s a form to report false positives on its website. Symantec, for example, has a form at bit.ly/symantec365, while for Kaspersky, you should visit newvirus.kaspersky.com, select False Alarm and upload the file.