What is the best way to know if the files your AV detected are a FP?

I know one of the signs is when the computer stops working. What are some other signs?

 

Your best bet is,uploading /sending them to the AV vendor that your using so that they can verify if the files are indeed a FP or not.

 

If I suspect a FP, I go to the vendors forum and look around for posts that are similar to my issue. If they have a FP section, that's a good place to start.

If I have no reason to believe it's dangerous, I don't quarantine it and upload the questionable file to VirusTotal or Jotti. If it comes up relatively clean there, I post on the vendors site or send them an email with the relative information and a link to the scan results so they can fix the FP. I don't recommend allowing a file out of quarantine for inexperienced users.

 

1. use my discression (filename/location/date/detection name)
2. google + virustotal it
If I think its not a FP, then I've determined if its a FP or not.
If FP/unsure
3. send to the AV.

 

I send it to the AV company.
avoids any guesswork. There should be quick reply and fixed within next update.

 

First Google the file, about 95% times i find out what the file is, if i cant i upload it on virustotal.

 

I agree with Cloud_Shadow, first Google search the file.
If that doesn't help, I scan it at VirusTotal.
In some cases I will send it to the vendor. Especially if it looks like a false positive.

 

I agree with this step, and follow it myself all the time. Often, when you do this, there will be nothing there yet, so it becomes your job to post about the possible FP and wait for others to input what they are seeing. I have noticed over the years that there is a definite downside to being fast with downloading new updates... you get the full brunt of the FPs before the vendor has had the opportunity to iron them all out. I wonder sometimes if it wouldn't be smarter to NOT be so quick to install new updates... but I always end up opting for grabbing the most recent updates as soon as I can. What I've done instead is to stop using the applications that I believed were pumping out a high number of FPs.

Edit in: Also, looking at the age of the file that is under scrutiny can be a clue. If it has been residing on your HD for a long time, and suddenly, after updating your AV (or other security app), it is being called a threat, it gives you a pretty good idea that the newest definitions contained a FP. If, otoh, the file is a new one, then maybe it is more likely to be an actual threat.

 

First, do not needlessly ever download software from other than the program author's web site.

If the author does not give either an email address for support questions, or a forum in which to ask questions, do not even bother downloading the software.

Following the above advice will reduce the number of false positives and malware.

Recently, I ran one of my own programs in KAV 7.1.0.325 and KIS 8.0.0.506, which has raised an issue that I am attempting to discuss at http://forum.kaspersky.com/index.php?showtopic=115496.

In addttion, I recently found a company that has a product that will allegedly let you know whether your riskware is malware or not. As I have not investigated their methodology, I will not name the company, but I will point out that a few weeks ago, I accientally discovered that they had 3 of my programs listed as "CURRENTLY BEING REVIEWED".

Their documents made very incorrect statements about the programs.
I contacted them and just gave them pointers to the URLs for the programs, and they quickly whitelisted the programs.

My impression is that they get requests from their own customers about particular files, and add lots of programs to the "CURRENTLY BEING REVIEWED" list. In effect, they are trying to scare folkes into buying their programs.

If I had not contacted them, I wonder how long it would have taken for my programs to get whitelisted, if ever. Indeed, they mentioned my name in one listing, so they knew who I was.

At some point, I want to further investigate their methodology, then air this discussion in an open forum.

Wonder how many other companies are in this business.

In any case, as others have said, the best you can do is send the allegedly FP to the AV vendor for confirmation.

But, that does always work!

A few years ago, I was a good-boy and sent such critters to Symantec, however, their mail program scanned the files at their end and just regurgitated the FP warning. These were with files I KNEW were false positives. So, do not bother sending files if they are going to merely pass thru an automatic filter, as that will likely generate the same FP as the AV software.

Of course, as a programmer, I am capable of examining source code myself.
I expect that few malware would have their source code available, but with all the nuts out there anything is possible.

With MSFT Office, it is oft possible to examine even hidden source code, tho, these daze, nasty malware folkes are more likely to compile code into DLLs.

 

Finding the MD5 value of the file, and then googling that value can sometimes give answers...

 

Try and recall if you've installed or changed anything recently on your PC.
If not its most likely a FP.

If you have installed new security or anti-rootkit scanners , they are often flagged as a FP.

Check google and virustotal.

That's usually my sequence.

 

All good replies.
I locate the file and examine its properties.
Google the file name.
Look on security forums, especially that of my AV.
Upload the file to virustotal.
Send it to my AV company.

All depends on the circumstances. Some sets of circumstances will give a strong indication it is malware, such as new icons appearing, things not working, redirects to wrong pages etc.
I haven't seen anything like that for quite a while.

 

Best to zip the file up and then send to AV maker.. Let them test the pest in the lab weither it could be FPs or not?

 

Another reason that does not always work is the following.

A number of years agom as a member of distribution list, I receined a message that had an HTML doc as an attachment.

NAV flagged it as a virus/warning.

As I knew the author, I contacted him, and used his contacts in Symantec to remedy the problem in a short time.

However, I've been using KAV/KIS for about 3 years now, they warn about the same message. I have not yet, and may never, take the time to report this to them.

I can only guess that the particular message contains something that looks like a known virus signature.

 

So whats your point?... they won't fix it unlessd they know there is a FP in the first place

 

Yes, but reporting such a message is way down my priority list.

 

upload them www.jotti.org or www.virustotal.com

 

You are asking about signs of infections ?

* Files are changing in size, location, date/time etc..
* Strange messages popping up ..
* Strange sounds, graphics, icons, etc..
* Slowdown in : booting, program execution, shutdown, etc..
* Windows / antivirus / apps crash..
* BSODs, hanging, ..
* etc..

 

the only real way to tell if its a FP for your chosen product is to upload it to them,not check using virustotal or any other site,there have been odd times wher only one or two products have detected things as being malware that was malware and the others haven't,using consensus to decide is not always accurate,only the vendor will be able to tell you without doubt as to whether their product is "telling the truth" or not