We've all been there - you get an alert from your virus scanner warning that a particular file is infected. Sometimes the alert reappears even after you've told the antivirus scanner to remove the infection. Or maybe you just have reason to believe the virus alert may be a false positive
. Here are six things you'll want to consider to determine how to handle a suspicious or questionable virus alert.
1. Location, Location, Location
As with real estate, the location of what's being detected can have critical bearing. If you're getting repeated alerts of the same infection, it may be due to non-active malware that's trapped in the system restore folders or a remanant in some other location that is triggering the alert.
2. Origination: From Whence it ComesJust as with location, the origin of the file can mean everything. High risk origins include: attachments in email, files downloaded from BitTorrent or other filesharing network, and unexpected downloads resulting from a link in email or instant messaging. Exceptions would be files that pass the Purpose test described below.
3. Purpose: Did you Want It, Need It, Expect It?The Purpose test boils down to a matter of intent. Is this a file you expected and need? Any file that is downloaded unexpectedly should be considered high risk and likely malicious. If it wasn't downloaded unexpectedly, but you don't need the file, you can mitigate your risk by simply deleting it. Being selective about what you allow to run on your system is an easy way to cut your risk of virus infection (and avoid bogging down system performance with unnecessary apps). However, if the file was deliberately downloaded and you do need it yet it's still being flagged by your antivirus, then it's passed the Purpose test and it's time for a second opinion.
4. SOS: Second Opinion Scan
If the file passes the Location, Origination and Purpose steps but the antivirus scanner still says it is infected, its time to upload it to an online scanner for a second opinion. You can submit the file to Virustotal
to have it scanned by over 30 different malware scanners. If the report indicates that several of these scanners think the file is infected, take their word for it. If only one or very few of the scanners report an infection in the file, then two things are possible: it really is a false positive
or it is malware that is so new it's not yet being picked up by the majority of antivirus scanners.
5. Searching by MD5
A file can be named anything, but an MD5 checksum seldom lies. An MD5 is an algorithm that generates a presumably unique cryptographic hash for files. If you used Virustotal
for your second opinion scan, at the bottom of that report you'll see a section titled "Additional Information". Just beneath that is the MD5 for the file that was submitted. You can also obtain the MD5 for any file by using a utility such as the free Chaos MD5 from Elgorithms
. Whatever means by which you choose to obtain the MD5, copy and paste the MD5 for the file into your favorite search engine and see what results appear.
6. Get Expert Analysis
If you've followed all the steps above and still don't have sufficient information to help you determine whether the virus alert is genuine or a false positive, you can submit the file (depending on file size) to an online behavior analyzer. Note that the results provided by these behavior analyzers may require a higher level of expertise to interpret. But if you've gotten this far in the steps, chances are you'll have no trouble deciphering the results!