VirusTotal, the website that allows you to upload a file and scan it against numerous antivirus engines, shared yesterday that it has been working with Microsoft to help solve the problem of false positives. A false positive is where an antivirus flags a file as malicious incorrectly. These can range from mildly annoying to havoc-producing, week-ruining events.
If a core system file is flagged as a false positive, the entire computer can be crippled and unable to operate or recover. I had the joy of living through a false positive from McAfee that brought down all Windows XP computers. Of course, they are not alone – almost every security software vendor goes through at least one significant false positive that affects the operating system. Others can happen quite regularly with specialized software that the vendor does not test against and must match some characteristics of malware that the AV is trying to target.
In yesterday’s posting, VirusTotal wrote about how they are working to use a trusted source on identifying files. They have already started marking these files in scans with where they come from. You can see in a scan of a Microsoft file that it will mark the file as a Trusted source. “This file belongs to Microsoft Corporation’s software catalogue.”
Now they are fingerprinting malware and legitimate files instead of trying to have a comprehensive list on only one side (blacklist malicious files), it could be possible to improve antivirus performance and effectiveness by also whitelisting legitimate files.
So far, VirusTotal has only worked with Microsoft but is looking for other very large software development companies to work with and mitigate the false positive problem. Google owns VirusTotal, so I’m surprised they’re not also in the list for Chrome and other desktop applications. Apple, Adobe, or some others might be great next steps for this project.