How Do You Know If Your Download Really Has A Virus?

How Do You Know If Your Download <em>Really</em> Has A Virus?

Antivirus and anti-malware apps fill an important need on our computers, but they’re not foolproof (*ahem*, McAfee). More often than you’d think, they’re just plain wrong. Here’s what to do when you’re not sure whether a download has a virus.

Photo by Daquella manera.

On a regular basis, we get emails from readers saying that some download we posted contains a virus, and we assure them that said download is clean. (Over the past five years, our track record in this arena is next to spotless.) So how do you know if a download really has a virus or not?

There’s no exact science when it comes to figuring out if a file has a virus or is just being detected as a false positive, but today we’ll share a little background and some tips that will help you figure out whether a file really contains a virus or not.

What Is a False Positive Exactly?

A false positive is when your virus scanner detects a file as a virus, even when it really isn’t a virus, and then tries to quarantine or delete that file. If you’ve read about the recent McAfee fiasco, you’ll begin to see the problem — they released a virus definition update that detected internal Windows files as a false positive, deleted them, and then suddenly Windows couldn’t boot anymore. Antivirus software is not perfect.

Some virus scanners also employ an additional line of defence called heuristic analysis, which attempts to identify new forms of malware right away by scanning for smaller sections of code that might indicate some bad behaviour, even if the virus has never been detected before. Unfortunately, because this method is not exact, it also will detect a lot of files as viruses incorrectly.

Use VirusTotal to Check for False Positives

Whenever there’s a possibility that a file you’ve downloaded might contain a virus, the first thing you should do is upload it to online virus scanning service VirusTotal, which instantly scans the file against 40 different antivirus engines at the same time, and gives you the results.

You can use the VirusTotal Uploader to instantly scan any file via your right-click context menu. (We’d highly recommend installing this small utility.) VirusTotal Uploader will upload any file you choose directly to the VirusTotal website and run the scan without you having to hassle with annoying web upload forms. Even better, most of the time you don’t even have to wait for the file to upload, since before uploading the app checks your file’s hash (a unique identifier, sort of like a fingerprint for files) against their database, so if they’ve already checked that file, you’ll get instant results.

You’ll sometimes find that files are caught as viruses by just a single virus scanner out of the 40, which is a good sign that you’re dealing with a false positive from one of the more aggressive virus scanners. It should be noted that VirusTotal is not a replacement for using your favourite antivirus application, which offers real-time protection against a variety of attack vectors — but it is a strong supplement.

AutoHotkey and Overly Aggressive Virus Scanners

We’re huge fans of the AutoHotkey scripting language around here, because it helps you simplify your life by turning any action into a hotkey. Many of the small utilities that we link to, like our own Lifehacker Code projects, are also written in AutoHotkey, or are provided as both a script and a compiled version.

Since the AutoHotkey language provides the ability to monitor keystrokes and mouse movements, it is often detected by heuristic virus scanners incorrectly as a keylogger or trojan — because those are the same type of internal Windows functions that a trojan might take advantage of to steal your password. This doesn’t mean that the file necessarily has a virus.

The great thing about most AutoHotkey applications that we link to is that the source code is usually provided, so you can just open up the .ahk file yourself and see what exactly is going on. In fact, if you have AutoHotkey installed, you can run any .ahk file instead of the provided executable file.

Ask the Developer

You’d be surprised to find out just how easy it is to get in touch with some developers. People email us all the time asking about the false-positive AutoHotkey apps we host on the site, and we do our best to reply. Other developers — who aren’t also sorting through hundreds of other tips emails every day — are probably even easier to get a hold of, and if they’re legit, they care a great deal about what antivirus apps are saying about their software and will do whatever it takes to help. Again, you shouldn’t necessarily trust everything said developer has to say, but if a developer is easy to contact, chances are they’re making legit apps. It’s the developers who are impossible to get a hold of (because it’s in their best interest not to be found) that are a little more worrisome.

Use Your Judgment

If your antivirus software is telling you that a file contains a virus, you shouldn’t blindly assume that you’re dealing with a false positive; use that opportunity to ask yourself if you really need to install that application. If you do, make sure to check with VirusTotal first, make sure the download is from a reputable place, and then make that judgment call on your own.

So what about you? What do you do when a file is detected as a virus? Share your thoughts in the comments.


  • @5h17h34d MD5 Checksums and hash values for different files can yield the same result.

    If checksums & hashes uniqueley identified every file, then theoretically you could use the checksum instead of the original file, as you would then be able to create the file by reversing the checksum algorithm. That would mean excellent compression, reducing any file to 64, 128 or 256 bits.

    • Not one checksum, but a combo of two or three checksums – but “counting up” ’till the binary string’s sums match the desired ones would take ages, esp. given the need to rescan the sums every tick. Imagine a 30GB game being published in a magazine as a UUencoded dual-hash code… Reproducing the file using dual hashes would take longer than downloading those 30gb over dial-up.

    • Which is like telling someone to amputate a leg and switch to a prosthetic limb when they stump their toe.
      By the way, I’m joking. Please don’t start a war.

  • Best bet is to simply stop the dload, get rid of its traces, run a full scan and to never seek for that particular piece of software, that particular melody/movie, … (basically, add the media to your “never” list that replaces your desktop wallpaper).
    If ya get a virus even with this technique, remember a simple thing: ONLY BROWSE THE INTERNET FROM A LIVECD! Why livecd? ‘cuz livecd disposes of all the settings on and malware (including platform-unspecific malware).
    Sadly, I keep forgetting of those two techniques.

Show more comments

Log in to comment on this story!