Tuesday, February 10, 2015

, , , ,

A first shot at false positives

Every so often an antivirus detecting a legitimate file hits the headlines, this usually happens when a given vendor mistakenly marks as malicious a file belonging to a widespread software package, for example, a key operating system file.

These mistaken detections, commonly known as false positives, have all sorts of undesired effects:
  • Software developers may face strong business impact as a large portion of their users see their programs rendered unusable. 
  • Support teams for the affected programs may be suddenly overwhelmed by user emails claiming that the given software is not working correctly.
  • End-users may be unable to interact with important software and see themselves unable to finish critical tasks.
  • Antivirus vendors' reputation may be severely hindered.
It is, thus, obvious that false positives are a head ache both for the antivirus industry and software developers. Solving them can be a very challenging problem. Why? Nowadays antivirus vendors are increasingly required to become more proactive, this includes developing generic signatures and heuristic flags, which very often leads to mistaken detections in an effort to have a more secure user-base. 

Virustotal is strongly committed to helping the antivirus and security industry, this is why we also wanted to collaborate on this front. Our first shot at this is a project that we call trusted source. The goal of this first stage is to have huge software developers share the files in their software catalogue.

These files are then marked accordingly at VirusTotal and whenever an antivirus solution (mistakenly) detects them, we notify the pertinent vendor, allowing them to quickly correct the false positive. Additionally, when files get distributed to antivirus vendors, they are tagged so that potential erroneous flags can be ignored,  preventing a snowball effect with detection ratios.

We have already started marking files and you may have already noticed the new message dialog at the top of file reports, example:
https://www.virustotal.com/en/file/a70999ee28e6233ffcadb6cc3967417be4de2678b868fa2d45bdd3f826c7ed48/analysis/

As you can see, not only a trusted source dialog is displayed, mistaken detections are also dropped from the positives count and degraded to the bottom of the report. This is just a quick measure to make sure the false positives do not mislead users looking at the report, as said, these mistaken detections are also shared with the pertinent vendors in order for them to fix.

We have been working on this for just one week and with just one company, Microsoft, yet results look very promising: over 6000 false positives have been fixed. We would like to extend a big thank you to the Microsoft team for sharing metadata about its software collection and to the antivirus industry as a whole for the false positives remediation. 

So what are the next steps? We are looking to grow our collection of trusted software, if you happen to be a very large software development company you might want to contact us in order to share this data and help us mitigate the issue of false positives. Please note that this initiative is not open to potentially unwanted applications and adware developers.