What’s a False Positive and How Can You Fix It?

False positives are annoying, but you’ll need to be able to identify them from actual malware if you want to keep your computer running without issue. Here’s how to fix antivirus false positives.
We may receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

If your antivirus program finished its most recent scan and came up with an unknown program or file, you may have run into a false positive. This is a program or file flagged as suspicious when it really isn’t. If you feel the flagged item is actually safe, there are several ways to confirm whether or not it’s safe to allow the program to run on your computer.

Between the malware research department of your antivirus software and your own internet searches, there’s always a way to identify the file. Making sure items your antivirus flags are safe can be the difference between your machine having an infection and one that's running well. Identifying a false positive can be tricky but there are several methods including websites like VirusTotal that can help you figure it out. 

Let’s explore your options as well as look at which antivirus programs are best for no false positives.

“The most important thing when dealing with unknown executables that your antivirus flags is to neither approve nor delete them until you know more.”

In this article
What is an antivirus false positive?
How to tell the difference between a false positive and actual malware
What should you do if you find a false positive?
Antivirus software with no or low false positives
Antivirus false positive FAQs
Bottom line

What is an antivirus false positive?

Antivirus software works by scanning the code of any particular executable and comparing it to a database of other executable programs. An executable, in case you’re wondering, is anything that can execute, or run, on your device.

Sometimes executables are actual files, but some are fileless malware that works with your computer’s memory rather than the hard drive. Either way, it’s still a process of a code executing in some location on your computer or mobile device.

A false positive happens when your antivirus software is scanning those executables (or .exe files) and finds a piece of code that has similarities to malicious codes in its database. This can happen when a sophisticated piece of malware is created to imitate legitimate executables.

False positives can also happen when the compression and protection techniques and distribution methods are similar between legitimate and illegitimate programs. All this is a very technical way of saying a false positive is a safe file that shares similarities with an unsafe file. Antivirus software uses different types of analysis to classify files, such as heuristics-based, behavioral, and more.

Behavior analysis

Behavior analysis is when your antivirus software watches how an executable behaves rather than what’s in its source code. This is especially helpful for detecting fileless malware and malicious programs that spoof legitimate programs.

Behavior analysis watches an executable to see if it’s acting unusual. If the executable tries to plant itself in a location where similar executables aren’t located, replicates quickly, or starts accessing files it has no business accessing, your antivirus may flag it as a virus.

Heuristics-based

This type of antivirus tool is similar to behavioral analysis in that it examines commands and instructions. It then weighs the severity of the damage that could be done based on established rules.

Essentially this means that the heuristics-based detection tool is studying the executable and determining how catastrophic it could be if it was malicious. Depending on the settings of your antivirus software, it may alert you or it may quarantine the file for further inspection.

PUP blocker

A potentially unwanted program (PUP) is any program downloaded onto your machine that your antivirus software recognizes as something that you may not want. Often, these programs are bundled with downloads you do want and can be anything from advertising software to marketing trackers.

These programs can slow down your computer, collect your data, and feed you a slew of unwanted ads. PUP blockers identify these pieces of software bundled into your download and stop them before they get onto your device.

Signature-based

Signature-based detection, like most of the detection methods on this list, is another way of comparing the file the antivirus is analyzing against a list of known indicators of compromise (IOCs).

This list can consist of email headlines, known malicious behaviors, file hashes, and a host of other determining factors. The common thread is that the signature of the IOCs associated with the file your antivirus found is compared against similar IOCs to determine if it’s malicious. Your antivirus may return a false positive if your file too closely matches a known malicious program.

How to tell the difference between a false positive and actual malware

There are several ways to tell if a flagged executable is a false alarm or actual malware that you should remove.

Whether you’re comfortable uploading files yourself (careful with this) or would rather wait for your antivirus vendor to analyze the file, you have options. The most important thing when dealing with unknown executables is to neither approve nor delete them until you know more. You could unwittingly release a virus onto your computer or delete an essential function. Let’s look at options for research and reporting.

Scan the file with VirusTotal

You can upload any questionable executables to VirusTotal for analysis. This site is a favorite of malware researchers and enthusiasts alike as it not only checks the file for you but also alerts others in the community to what you found.

VirusTotal is only recommended if you’re comfortable quarantining and uploading files or websites and can do so without doing harm to your device.

Quarantine the file

Your antivirus scanner should automatically quarantine unknown files and send them to researchers for analysis. If this doesn’t happen automatically, you can request the files be quarantined and analyzed.

This method is best for people who don’t feel confident in their ability to detect and research unknowns on their own.

Search malware databases

As a compromise between the first two options, a malware database is a good option if you aren’t comfortable uploading the file yourself but don’t want to wait for analysis from your antivirus software.

You can search free sites like Hybrid Analysis for the name of the file your software has detected. You can also use VirusBay, which is a community-based paid service.

Check for antivirus software updates

A false positive can only be resolved once the research team has proven that it’s not malicious and can’t cause harm. This means they’ll put the sample through exhaustive testing to determine its purpose. Once they decide if it's clean or not, it’ll get loaded into the comparatives library that all files are checked against.

Keeping your antivirus software up-to-date will also keep the comparatives library up-to-date, resulting in fewer false positives.

Browse your antivirus’ customer support

You can browse your antivirus customer support pages for common false positives. If you’re experiencing a lot of false positives, there should be topics on each company’s support hub that cover how to configure your antivirus to reduce this occurrence.

Do an internet search

The internet is an amazing resource. Try typing the name of the file into your favorite search engine and see what the collective hive mind has discovered. Remember to only trust reputable sources like blogs from cybersecurity professionals, antivirus companies, government websites, or university IT department announcements before determining whether you should whitelist or delete a file.

Check the file properties

If you’re a little more tech-savvy, you can do an internet search for the properties a file should have then check the properties of the file on your computer.

How to check file properties on a Windows computer

Right click on the file and select Properties. You can also click Alt + Enter once you’ve highlighted the file.

How to check file properties on a Mac

Select the item on your desktop or in Finder. You can then click Choose File > Get Info or Command + I.

What should you do if you find a false positive?

So you’ve done your research and you’re sure the issue you’re seeing is a false positive. You need the program to install and you need this file to get it to work correctly, but your antivirus is still blocking it.

If you feel 100% sure, there are several different approaches you can take to clear the false positive:

  • Use your antivirus’ clean or fix tool
  • Submit the file to your antivirus’ reporting system
  • Reboot your device and rescan
  • Whitelist the file (only do this if you're 100% sure it’s safe)
  • Disable your antivirus (do this only as a last resort and after discussing the issue with your antivirus customer service)

According to Stanford research, 88% of all malware, ransomware, and virus infections are due to human error. Only whitelist a file or disable your antivirus if you are 100% positive you’re receiving a false positive.

Antivirus software with no or low false positives

While no antivirus or cybersecurity software is infallible, the following products have tested well and had no false positives in the latest AV-TEST results.

We also have a list of the best antivirus products we’ve tested that performed well in third-party tests and in our at-home testing.

Please note this list is subject to change as new threats emerge, source code gets updated, and comparative lists grow.

McAfee

5.0
Save $105 on your first year of McAfee+ Premium
Learn More
On McAfee's website

McAfee
  • All-in-one protection for your personal info and privacy
  • Excellent antivirus protection
  • Additional features like a file shredder and parental controls
  • Multiple pop-ups for text notifications can be annoying

Though it’s been around a while, McAfee still offers top-notch protection. We especially like that it comes with parental controls to help you keep your children safe online, as well as extra features like a file shredder.

If you prefer to skip these features, the McAfee Antivirus Basic plan still comes with phishing and ransomware protection.

McAfee had one false positive in May and none in June, per the latest AV-TEST results.[1]

See McAfee Plans | Read Our McAfee Review

Norton 360

5.0
Save up to 66% on your first year
Learn More
On Norton 360 Antivirus's website

Norton 360 Antivirus
  • Easy-to-install antivirus protection
  • Secure VPN and password manager included
  • Parental control features
  • Multi-tab navigation may be overwhelming at first

Another household name, Norton comes with solid antivirus protection. That includes real-time protection, a firewall, a VPN, cloud storage, and a password manager for all plans. If you'd like to add dark web monitoring and parental controls, you can do that too. You can also bundle your Norton antivirus with LifeLock, one of the best identity theft protection services available.

Norton consistently performs well in third-party testing, and its latest AV-TEST scores showed no false positives.[2]

See Norton Plans | Read Our Norton Review

TotalAV

4.8
Learn More
On TotalAV's website

TotalAV
  • High level of antivirus protection
  • Protection from malicious viruses, malware and dangerous websites
  • User-friendly interface and overall app
  • Lacks firewall protection

One of our most highly rated antivirus solutions, TotalAV features a friendly setup and scanning experience. We also like that it has a relatively low-cost plan to start with, which isn't always the case with a good antivirus.

All TotalAV plans come with real-time protection, phishing and ransomware attack protection, and performance optimization tools. The Total Security plan also comes with Total Adblock, an efficient and effective ad and tracker blocker, as well as a VPN and a password manager.

TotalAV's latest test results from AV-TEST showed no false positives, making it a great choice for device protection.[3]

See TotalAV Plans | Read Our TotalAV Review

Antivirus false positive FAQs


+

Can an antivirus give false positives?

Yes, any antivirus or anti-malware programs meant to protect your computer from malicious executables has the potential to give false positives.


+

How do I stop my antivirus from detecting false positives?

The short answer is you can’t. Because of the nature of antivirus and how it detects malicious content, you can’t eliminate false positives completely.

Keeping your antivirus up-to-date helps reduce the number of false positives you get. If your antivirus keeps flagging a program you know is safe, you can whitelist it with your antivirus provider. Make sure, however, that you are 100% positive the file or program is safe, otherwise you may end up with a virus.


+

Does Windows Defender give false positives?

Yes, every antivirus has the potential to report a false positive, and Windows Defender is no different. Microsoft provides a guide on steps to take to address Windows Defender false positives.


+

Can a Trojan be a false positive?

There are instances where an executable can be mislabeled as a Trojan. So while a Trojan is definitely a malicious program, there have been instances where legitimate files have been classified as Trojans.

Bottom line

A false positive can be frustrating, especially if it’s preventing the download and execution of a file or program you really need. It’s important to be able to identify and fix false positive reports so you have absolute certainty files are good before allowing them on your device.

Whether you do an internet search or wait for the research team behind your antivirus, researching a file is the best way to avoid an infection. Remember, a false positive is always better than a false negative. If you do end up with an infection, remember there are resources to help you clean up your computer and remove malware before it gets any worse, and you always have the option to switch to one of our recommended best antivirus programs for the highest level of protection.

5.0
Save $105 on your first year of McAfee+ Premium
Learn More
On McAfee's website

McAfee
  • All-in-one protection for your personal info and privacy
  • Excellent antivirus protection
  • Additional features like a file shredder and parental controls
  • Multiple pop-ups for text notifications can be annoying

Author Details
Mary lives in Los Angeles and has been a cybersecurity writer for over five years. With a B.S. in Liberal Arts from Clarion University and an M.F.A. in Creative Writing from Point Park University in Pittsburgh, her career in online security began in sales and content creation for a private cybersecurity firm.

Citations

[1] Test McAfee Total Protection 1.9 for Windows 10

[2] Test Norton Norton 360 22.23 for Windows 10

[3] Test Protected.net Total AV 5.22 for Windows 10