Antivirus and anti-malware apps fill an important need on our computers, but they’re not foolproof (*ahem*, McAfee). More often than you’d think, they’re just plain wrong. Here’s what to do when you’re not sure whether a download has a virus.
Photo by Daquella manera.
On a regular basis, we get emails from readers saying that some download we posted contains a virus, and we assure them that said download is clean. (Over the past five years, our track record in this arena is next to spotless.) So how do you know if a download really has a virus or not?
There’s no exact science when it comes to figuring out if a file has a virus or is just being detected as a false positive, but today we’ll share a little background and some tips that will help you figure out whether a file really contains a virus or not.
What Is a False Positive Exactly?
A false positive is when your virus scanner detects a file as a virus, even when it really isn’t a virus, and then tries to quarantine or delete that file. If you’ve read about the recent McAfee fiasco, you’ll begin to see the problem — they released a virus definition update that detected internal Windows files as a false positive, deleted them, and then suddenly Windows couldn’t boot anymore. Antivirus software is not perfect.
Some virus scanners also employ an additional line of defence called heuristic analysis, which attempts to identify new forms of malware right away by scanning for smaller sections of code that might indicate some bad behaviour, even if the virus has never been detected before. Unfortunately, because this method is not exact, it also will detect a lot of files as viruses incorrectly.
Use VirusTotal to Check for False Positives
Whenever there’s a possibility that a file you’ve downloaded might contain a virus, the first thing you should do is upload it to online virus scanning service VirusTotal, which instantly scans the file against 40 different antivirus engines at the same time, and gives you the results.
You can use the VirusTotal Uploader to instantly scan any file via your right-click context menu. (We’d highly recommend installing this small utility.) VirusTotal Uploader will upload any file you choose directly to the VirusTotal website and run the scan without you having to hassle with annoying web upload forms. Even better, most of the time you don’t even have to wait for the file to upload, since before uploading the app checks your file’s hash (a unique identifier, sort of like a fingerprint for files) against their database, so if they’ve already checked that file, you’ll get instant results.
You’ll sometimes find that files are caught as viruses by just a single virus scanner out of the 40, which is a good sign that you’re dealing with a false positive from one of the more aggressive virus scanners. It should be noted that VirusTotal is not a replacement for using your favourite antivirus application, which offers real-time protection against a variety of attack vectors — but it is a strong supplement.
AutoHotkey and Overly Aggressive Virus Scanners
We’re huge fans of the AutoHotkey scripting language around here, because it helps you simplify your life by turning any action into a hotkey. Many of the small utilities that we link to, like our own Lifehacker Code projects, are also written in AutoHotkey, or are provided as both a script and a compiled version.
Since the AutoHotkey language provides the ability to monitor keystrokes and mouse movements, it is often detected by heuristic virus scanners incorrectly as a keylogger or trojan — because those are the same type of internal Windows functions that a trojan might take advantage of to steal your password. This doesn’t mean that the file necessarily has a virus.
The great thing about most AutoHotkey applications that we link to is that the source code is usually provided, so you can just open up the .ahk file yourself and see what exactly is going on. In fact, if you have AutoHotkey installed, you can run any .ahk file instead of the provided executable file.
Ask the Developer
You’d be surprised to find out just how easy it is to get in touch with some developers. People email us all the time asking about the false-positive AutoHotkey apps we host on the site, and we do our best to reply. Other developers — who aren’t also sorting through hundreds of other tips emails every day — are probably even easier to get a hold of, and if they’re legit, they care a great deal about what antivirus apps are saying about their software and will do whatever it takes to help. Again, you shouldn’t necessarily trust everything said developer has to say, but if a developer is easy to contact, chances are they’re making legit apps. It’s the developers who are impossible to get a hold of (because it’s in their best interest not to be found) that are a little more worrisome.
Use Your Judgment
If your antivirus software is telling you that a file contains a virus, you shouldn’t blindly assume that you’re dealing with a false positive; use that opportunity to ask yourself if you really need to install that application. If you do, make sure to check with VirusTotal first, make sure the download is from a reputable place, and then make that judgment call on your own.
So what about you? What do you do when a file is detected as a virus? Share your thoughts in the comments.