{"id":7608,"date":"2015-02-12T16:13:11","date_gmt":"2015-02-12T21:13:11","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=7608"},"modified":"2015-02-12T16:13:11","modified_gmt":"2015-02-12T21:13:11","slug":"virustotal-tackles-the-tricky-false-positives-problem-plaguing-antivirus-software","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/12\/virustotal-tackles-the-tricky-false-positives-problem-plaguing-antivirus-software\/","title":{"rendered":"VirusTotal tackles the tricky false positives problem plaguing antivirus software"},"content":{"rendered":"

\"\"<\/a><\/p>\n

VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs.<\/p>\n

False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection signature or algorithm used in an antivirus product.<\/p>\n

VirusTotal, which scans suspicious files uploaded by users with products from 48 antivirus vendors, invited large software makers Tuesday to add metadata about their products\u2019 files to a new database maintained by the company.<\/p>\n

If a file that\u2019s later uploaded by users to be scanned with VirusTotal is in that database, the scan report will display a \u201ctrusted source\u201d alert. If any antivirus products flagged the file as malicious during the scan, their detections will be considered false positives and will not be counted toward the final detection score. Vendors of the products that flagged the file as malware will be notified so that they can correct the error.<\/p>\n

Sometimes false positive detections have serious consequences, like the deletion of critical system files or the blocking of popular websites and when that happens, they are usually reported on technology news sites, blogs and tech support forums.<\/p>\n

However, lower impact cases of wrongful detection occur all the time. They don\u2019t get the same visibility as the critical ones, but many users, including this reporter, have been in situations like this one:<\/p>\n

They download a program from a legitimate source and attempt to install it, only to be stopped by an alert from their antivirus program saying it\u2019s potentially malicious. Trying to get a second opinion, they upload the file to VirusTotal and they get a report with detections by only a handful of antivirus engines.<\/p>\n

Are those detections false positives? Or is the malware sample new and therefore detected only by a small number of antivirus products? It\u2019s hard to tell, and there are additional factors that further complicate things.<\/p>\n

For example, some antivirus products share the same detection engine or malware signatures. This is the result of inter-vendor partnerships that regular users are often unaware of. So what appears as a malware detection by three separate products in VirusTotal could actually be the result of a single bad signature shared by all of them.<\/p>\n

Relying on things like digital signatures to verify a file\u2019s authenticity is not sufficient either, because not all legitimate files are signed and there have been cases of malware programs being digitally signed with certificates stolen from legitimate developers.<\/p>\n

False positives are also a headache for antivirus vendors and software developers, not just for users. In the case of bad detections that have a widespread impact, antivirus vendors will have to deal with a surge in technical support calls and even bad press.<\/p>\n

For software developers it can be stressful to track down the appropriate contacts at different antivirus firms spread around the globe and then to convince them to fix a false positive detection. Some developers might not even be aware for days or weeks that their products are wrongfully detected as malware, which can lead to loss of potential customers.<\/p>\n

With VirusTotal\u2019s new trusted source feature, antivirus vendors can be notified even before the affected software maker learns of the problem.<\/p>\n

So far, VirusTotal has worked with Microsoft to add metadata for the company\u2019s files to the database and the effort has already paid off.<\/p>\n

In a single week, over 6,000 false positive detections have been identified, reported and fixed, said Emiliano Martinez, a software engineer at VirusTotal in a blog post. \u201cWe are looking to grow our collection of trusted software; if you happen to be a very large software development company you might want to contact us in order to share this data and help us mitigate the issue of false positives.\u201d<\/p>\n

 <\/p>\n

via VirusTotal tackles the tricky false positives problem plaguing antivirus software | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,10],"tags":[354,655],"class_list":["post-7608","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-false-positives","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1YI","jetpack-related-posts":[{"id":5750,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/11\/one-click-test-finds-gameover-zeus-infections-on-pcs\/","url_meta":{"origin":7608,"position":0},"title":"One-click test finds Gameover Zeus infections on PCs","author":"NCCT","date":"June 11, 2014","format":false,"excerpt":"Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week. The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware\u2019s aggressive\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":7608,"position":1},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3156,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/09\/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux\/","url_meta":{"origin":7608,"position":2},"title":"\u201cHand of Thief\u201d banking trojan doesn\u2019t do Windows\u2014but it does Linux","author":"NCCT","date":"August 9, 2013","format":false,"excerpt":"Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system. Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":7648,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/26\/chrome-security-update-warns-against-sneaky-software-downloads-as-well-as-malware\/","url_meta":{"origin":7608,"position":3},"title":"Chrome security update warns against sneaky software downloads as well as malware","author":"NCCT","date":"February 26, 2015","format":false,"excerpt":"Google is adding a new warning to Chrome in its continuing efforts to protect users from harmful actors on the web. The new red flag for Google\u2019s browser warns you when you\u2019re about to visit a site that encourages users to download harmful and unwanted software. Chrome isn\u2019t the only\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":7608,"position":4},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6713,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/28\/rogue-tor-exit-node-server-added-malware-to-legitimate-downloads\/","url_meta":{"origin":7608,"position":5},"title":"Rogue Tor ‘exit node’ server added malware to legitimate downloads","author":"NCCT","date":"October 28, 2014","format":false,"excerpt":"The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users were downloading files. Tor is short for The Onion Router, which is software that offers users a greater degree of privacy when browsing the Internet by routing traffic through a\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=7608"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7608\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=7608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=7608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=7608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}