I see viruses. When an antivirus scanner reports a file as being infected, when in fact it is not, that reporting is considered a false positive. False positives aren’t confined to antivirus software either, as Scott Berinato discusses in the article, The Software That Cried Wolf. Indeed, false postives in any security software can be more than just annoying. One popular argument is that users beset with false positives may become so anesthesized to the alerting that they disregard a valid warning. In other cases, false positives – or the way in which they are handled – can lead to an even worse problem: a false sense of security.
In December 1999, Norton Antivirus began false-alarming on the Macromedia® Flash Player and files created by Flash™. At the time, Symantec® (makers of Norton Antivirus™) and Macromedia® participated in a joint effort to confirm that these were indeed false positives. Subsequently, a support statement was released declaring, in essence, that both Symantec® and Macromedia® had confirmed there were no viruses in Flash, or in the files created by Flash. This press release still survives, and can be found on Macromedia’s site. Lest you think it’s buried deep, the release can be found by doing a quick search for the word "virus" on the Macromedia® website. Why would someone search on the Macromedia® website for the term "virus"? To see what their response was regarding the newly discovered (March 6, 2001) Naked Wife virus. While not actually a Flash file, for all intents and purposes nakedwife.exe looks like a Flash file – right down to its icon and splash screen. Thus, to many average users, nakedwife.exe would be considered a Flash file.
We can assume that Norton Antivirus has long since stopped false-alarming on Flash files, but what about someone who hears about a new "Flash" virus, visits Macromdia’s site, and does a search on the word "virus". They’ll be presented with a disclaimer that Symantec® has confirmed Norton Antivirus™ is generating a false positive, that "the" warning is erroneous and that all Flash files are safe for use. For a user who has previously experienced the problems of false positives, such a disclaimer might be enough to cause them to believe nakedwife.exe is safe to launch.
How, in the face of such conflicting information, can you determine whether a warning is justified or is a false positive? If the alert says the file is suspicious, or that it cannot be disinfected and should be deleted, you might want to do some research before relying on program developer support statements. First, check sources like Antivirus.About.com or your antivirus vendor sites to see if the virus name provided is listed there.
…always double check information found via web searches to determine whether the information is still applicable
If you can’t find the virus listed there, take a look at the virus name the alert is providing. Does it end in .gen, or refer to Bloodhound, or identify it simply as being suspicious? Depending on the scanner used, any of these indicates either an unknown virus or a false positive. Update your scan engine and signature definition files, then scan again. Does the alert still occur? If so, submit the file to your antivirus vendor for analysis.
Most importantly, always double check information found via web searches to determine whether the information is still applicable. For example, the Macromedia® support document mentioned above clearly has dates specifying the false-positives occurred in December 1999. If some time has passed since the document was released, follow the steps outlined above before declaring a file is safe, or not safe, to use.