What I am talking about here is false alarms. Sometimes a security program such as antivirus software will block a perfectly legitimate program that you have downloaded from the internet.
It pops up a message on the screen saying something like, “Hey this looks like Trojan XYZ.123 and it has been blocked for your safety.” Is it right and it has just saved you from a dire threat or is it wrong? How can you tell?
This situation arose recently and I downloaded a CD/DVD-Rom drive emulator for a laptop that does not have an optical drive. The program was WinCDEmu, but it does not matter and it could have been anything.
When this program was run I got security warnings from my antivirus software. Apparently it contained a malicious and known Trojan. It also tried to change some system settings too. Here is one of the messages (there were others):
The question is, is it right or is it wrong? Usually when this happens it is indeed correct and it has blocked a malicious program that could interfere with your computer or steal personal information. However, in this case I had my doubts and I just didn’t believe it.
It would be foolish to ignore warnings of malware of course, to the best course of action is to quit the program or let the antivirus program remove it or block it.
Click Select/Choose a file and select the suspected malware program on the disk drive. There is a maximum upload size of 128MB, so you cannot do this with very big files, but most suspicious files are quite small anyway.
After clicking the Scan it! button, the file is uploaded. It turned out that I was not the first to query this file and someone else had uploaded it before me.
It states that the detection ratio is 1/56 and this means that it was tested with 56 antivirus programs and only one said it was malware. This is not unusual and when 55 antivirus programs say a program is clean and only one says it is malware, you can bet that it is a false positive.
There is a button to view the analysis and a long list of the antivirus programs is displayed showing which ones said it was clean and which said it was malware.
Overwhelming positive results indicate that this file I tried to run was clean and that my antivirus program was wrong. There are options within antivirus programs to ignore files or add them to a whitelist so that they will not trigger a warning again.
Metascan online uses 44 antivirus programs and it has a more colourful interface that displays a nice graphic when it has finished.
None of the Metascan antivirus programs thought that it was malware. With this information I went ahead and ran the program despite the (wrong) warning from my antivirus software. Perhaps it is time to change it.