As cyber threats continue to become more prevalent, most people use antivirus programmes on their devices. These are usually the first line of defence against all forms of malware since they are highly effective at identifying suspicious files, apps or downloads.
These programmes work by running quietly in the background while you use your device. This means that they are constantly scanning from the time you power it on to turning it off.
And from time to time, antivirus software can jump the gun a bit and flag a file or programme that is no threat at all. This is a false positive and when it happens, it can cause quite a headache for IT teams and developers.
So what actually goes on behind the scenes when this occurrence happens before your device starts to cry wolf? Let’s get into it.
What Is A False Positive?
In simple terms, a false positive happens when your antivirus incorrectly deems a harmless app or file as dangerous. As it would do with those that are actually malicious, it will either stop the file from installing, isolate it or remove it completely from your device.
Your company may be rolling out a new software update and all of a sudden, your team can’t install it because the antivirus that everyone uses flagged it. Meanwhile, there’s nothing remotely dangerous about the update and this is where false positives can become highly frustrating as you can imagine.
For developers, the consequences are a bit more serious. If their software is labelled as unsafe, it directly damages their reputation and they could lose customers.
Why Do These False Positives Happen?
Antivirus programmes use different methods to be able to effectively identify malware. Since there isn’t just one method that they use but rather a combination, it’s easier to mistake harmless software for something more sinister.
There are also several other reasons as to why a false positive could happen.
Your settings are too strict: Not every antivirus is the same and some are more cautious than others. If your settings are on maximum protection, it can overreact every now and then which significantly increases the risk of false positives.
Heuristic scanning: One of the ways in which antivirus programmes find threats is by checking the patterns of code in a file. So if a harmless programme had to share even one characteristic with known malware, it could still be flagged.
New software: Apps that are built by smaller developers or those new to the market haven’t quite earned a reputation yet that they can be trusted. If that recognition is absent, the antivirus company will take precaution and flag it.
Machine learning: Some antivirus software, especially the newer ones, use AI and machine learning for training. If there’s an issue with the training source, it could result in misidentifying files or software.
How Does Antivirus Handle False Positives?
In the event that a false positive happens, antivirus companies have a procedure in place that they will follow. The point of this procedure is to review and resolve the error as quickly as possible. While some may take slightly different steps, this is a general overview of what will happen.
The File is Quarantined
In most cases, the antivirus will isolate the flagged file or programme instead of deleting it straight away. Once it has been quarantined, it won’t be able to run while it’s under review.
A lot of modern antivirus programmes use cloud databases so the suspicious file is reported to the company’s servers. If multiple people have received the same alert, an investigation will begin.
More from Tech
- Can Google Read My Emails?
- Are You Really On Fibre Broadband? Here’s Why It’s Worth Checking
- Telltale Signs Your Antivirus Software Needs An Upgrade
- Can The UK Reach A £1 Trillion Tech Valuation?
- Why Lasting Power of Attorney Must Be Dragged into the Digital Age
- How Does Antivirus Software Impact System Performance?
- How Does Air Traffic Control Technology Work?
- What Role Does Broadband Play In Bridging The Digital Divide?
Review By An Analyst
Every antivirus company has a team of cybersecurity experts who will take a look at the flagged file. Their task is to review its code and compare it to known malware types to find a match.
In some cases, they can also test the file under strict controlled conditions to determine whether or not it really is a cause for concern.
If the file is not dangerous, it’s added to a whitelist which is a database of approved programmes. That way, it won’t be flagged again in the future.
An Update Is Rolled Out
The antivirus programme will then send out an update to all of its users which will take away the false positive from any scans done in the future.
This step can take a couple of hours or days, depending on their response time.
What Can You Do As An Antivirus User?
If you have an antivirus and encounter a false positive, there are a couple of things that you can do. Don’t assume right off the bat that it’s a false alarm, you can search online to see if anyone else has reported the same or a similar issue.
Most antivirus programmes have a reporting feature where you can log it with your service provider to review. If you are completely certain that the file is safe, you can add it to your list of exceptions.
And most importantly, always keep the antivirus updated. Most of the false positives are fixed and removed quite quickly with updates so if yours is up-to-date, you shouldn’t be having them too often.
