AV False Positives: How Developers Can Help

TL;DR

False positives (your software flagged as malicious when it isn’t) happen. You can reduce them by understanding why, signing your code, packing carefully, using common libraries, and providing clear information to AV vendors.

Why Does This Happen?

Anti-virus (AV) products use various methods to detect threats:

• Signature-based detection: Looks for known malicious code.
• Heuristic analysis: Identifies suspicious behaviour.
• Machine learning: Predicts threats based on patterns.

Sometimes, legitimate software gets caught because it looks like malware. This is more common with:

• New or unusual code.
• Code that modifies system files.
• Packed or obfuscated code (making it harder to understand).

How Developers Can Reduce False Positives

1. Sign Your Code: This is the most important step! A digital signature proves your software comes from you and hasn’t been tampered with.

• You’ll need a code signing certificate from a trusted Certificate Authority (CA).
• Use tools like Signtool (part of the Windows SDK) to sign your executables and libraries. Example: signtool sign /f mycertificate.pfx /p password /t http://timestamp.digicert.com myfile.exe

Careful Packing/Obfuscation: While packing can reduce file size, it often triggers AV alerts.

• If you must pack, use well-known and reputable packers.
• Avoid excessive or complex obfuscation.
• Test thoroughly with multiple AV products before release.

Use Common Libraries: Avoid reinventing the wheel. Using widely used libraries reduces the chance of false positives.

• AV vendors are more likely to have already scanned and trusted popular libraries.

Avoid Suspicious Behaviour: Be mindful of what your software does.

• Minimize direct system file modifications.
• Use standard APIs instead of low-level functions where possible.
• Don’t attempt to bypass security features.

Submit Your Software to AV Vendors: Most AV vendors have a submission process for analyzing new software.

• VirusTotal is a good starting point – it submits your file to many AV engines at once.
• Provide clear information about your software’s purpose and functionality.

Test with Multiple AV Products: Don’t rely on just one AV scanner.

• Use online scanning services like VirusTotal.
• Consider using a virtual machine (VM) to test in a clean environment.

Monitor Reports from Users: Pay attention to user feedback about false positives.

• If users report issues, investigate and submit your software for re-analysis.

Dealing with False Positives After Release

1. Contact the AV Vendor: If your software is incorrectly flagged, contact the vendor directly. Provide details about the false positive and any steps you’ve taken to mitigate it.
2. Provide Samples: Be prepared to provide samples of your software for analysis.
3. Be Patient: It can take time for AV vendors to analyze and resolve false positives.