On Virus Scanners and False Positives

We get reports about false positives from virus scanners regularly, so we thought we would write a little about it.

The problem with commercial virus scanners like Norton and McAfee is that they depend on fear-mongering to keep their income up. If they don't find a "virus" every now and again you might start to think that they aren't really worth the money you're paying. We're not saying they deliberately cause false positives, but this attitude does cause them to make their detectors very sensitive so that they regularly claim that things contain viruses or malware which are in reality completely clean, such as our program.

So called "heuristics based" detectors are especially bad. Those are detectors that don't look for a specific, known, virus, but instead look for virus-like behaviour. Of course, a completely legitimate installer does a lot of things that a virus also does, such as write files, write to the registry, etc.. And Norton especially has a habit of flagging files as being evil just because they are new (you know, like a new release of a software program...).

We recommend not using commercial virus scanners. If you're on Windows, use Microsoft Security Essentials. They don't have commercial pressure to detect as many "viruses" as possible, instead they have pressure to be as accurate as possible, because Microsoft realises that the many security holes that viruses use to infect Windows, and the perceived security problems with Windows that are in reality caused by viruses, damage Windows' reputation.

You should also know about the website virustotal.com. There you can scan URLs or files against a long list of different virus scanners. If your virus scanner says WorldPainter contains a virus, test it there (either by giving it the URL from which you downloaded WorldPainter, or by giving it the file you downloaded). Usually it will be completely clean. If it says that one or two virus scanners flagged it, that usually means it's a false positive. Only if a significant portion of the virus scanners flag it there might really be a virus in it (in which case please let us know!).

Check this page for links to VirusTotal reports for the download links of the latest WorldPainter release. From the download link report you can click through to the report for the actual downloaded file itself.

If you want to make sure that the file virustotal.com tested is actually the same file you downloaded, check the SHA256 hash that's given at the top of the virustotal.com report using a tool such as HashTab.

Last modified 4 years ago Last modified on Jan 21, 2013, 11:17:12 AM