Any user with a casual passing interest in IT security will at some stage encounter the paradoxically named expression ‘false positive’. Not quite the tautological twist that it might at first sound like, a false positive is the term we use to describe the “false” identification of a piece of software code as a “positive” identification match with code belonging to a virus, worm, spam-related phishing scam — or in fact any other form of malware as defined by an anti-virus protection suite.
When do false positives occur?
False positives can occur when a spam filter positively identifies a legitimate message as harmful. A spam filter can reside on either a user’s desktop (and therefore be said to be “client-side”) or on a back office server (where it is said to be “server-side“) in a company network environment. The result is the same in either scenario, as the message is “bounced” back to the email sender and/or quarantined, tagged as potentially harmful and ultimately deleted.
But false positives can occur outside of straightforward email filtering, in scenarios where any software application code is analysed for patterns that have been identified as belonging to malware.
If an “app” (or an application extension – see below) exhibits behavior identified and/or associated with malicious activity, such as attempts to make modifications to the computer’s operating system or related files, or an action to freeze a memory address – then it may be classified as a false positive, even when the application’s actions were intended by the user.
This kind of scenario might very typically come about if a user happens to initiate a “game trainer” or cheat extension to an installed video game or similar application/software program. The trainer tries to execute a smaller .exe program or sections of code to modify the game’s behaviour and as this is essentially classed as an “exploitative action”, so the user’s anti-virus suite blocks the operation even though the user wanted the action to happen. Hence, a false positive has occurred.
This situation can also happen during the wider general use of a computer too. Consider the fact that there are quite literally millions of viruses out there and billions upon billions of lines of binary software code. It is not beyond the realms of possibility to consider that one piece of virus code could be matched with that of a legitimate software program’s operation.
Clearly we know that big brand anti-virus manufacturers develop their systems to a level of sophistication far beyond the “random coincidence” factor that we suggesting here, but some user awareness of this is great background knowledge for anyone that uses a computer.
What can users do about false positives?
So if a computer system falsely classifies a piece of non-malicious software code as spam, adware or malware of any kind is there anything a user can do? The short answer is yes – and first actions should be focused on updating your anti-virus suite to a current-year version. If you are running up to date anti-virus protection, then it is still prudent to “update virus definitions” by initiating an online product update, which all reputable protection suites will offer as a normal operational option.
Being aware of the existence of false positives is good basic background knowledge for any user, especially if you intend (as most of us inevitably will) to download application extensions or add-ons of some kind or another.
Leave a reply
