All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
If your antivirus program finished its most recent scan and came up with an unknown program or file, you may have run into a false positive. This is a program or file flagged as suspicious when it really isn’t. If you feel the flagged item is actually safe, there are several ways to confirm whether or not it’s safe to allow the program to run on your computer.
Between the malware research department of your antivirus software and your own internet searches, there’s always a way to identify the file. Making sure items your antivirus flags are safe can be the difference between your machine having an infection and one that's running well. Identifying a false positive can be tricky but there are several methods including websites like VirusTotal that can help you figure it out.
Let’s explore your options as well as look at which antivirus programs are best for no false positives.
Antivirus software works by scanning the code of any particular executable and comparing it to a database of other executable programs. An executable, in case you’re wondering, is anything that can execute, or run, on your device.
Sometimes executables are actual files, but some are fileless malware that works with your computer’s memory rather than the hard drive. Either way, it’s still a process of a code executing in some location on your computer or mobile device.
A false positive happens when your antivirus software is scanning those executables (or .exe files) and finds a piece of code that has similarities to malicious codes in its database. This can happen when a sophisticated piece of malware is created to imitate legitimate executables.
False positives can also happen when the compression and protection techniques and distribution methods are similar between legitimate and illegitimate programs. All this is a very technical way of saying a false positive is a safe file that shares similarities with an unsafe file. Antivirus software uses different types of analysis to classify files, such as heuristics-based, behavioral, and more.
Behavior analysis is when your antivirus software watches how an executable behaves rather than what’s in its source code. This is especially helpful for detecting fileless malware and malicious programs that spoof legitimate programs.
Behavior analysis watches an executable to see if it’s acting unusual. If the executable tries to plant itself in a location where similar executables aren’t located, replicates quickly, or starts accessing files it has no business accessing, your antivirus may flag it as a virus.
This type of antivirus tool is similar to behavioral analysis in that it examines commands and instructions. It then weighs the severity of the damage that could be done based on established rules.
Essentially this means that the heuristics-based detection tool is studying the executable and determining how catastrophic it could be if it was malicious. Depending on the settings of your antivirus software, it may alert you or it may quarantine the file for further inspection.
A potentially unwanted program (PUP) is any program downloaded onto your machine that your antivirus software recognizes as something that you may not want. Often, these programs are bundled with downloads you do want and can be anything from advertising software to marketing trackers.
These programs can slow down your computer, collect your data, and feed you a slew of unwanted ads. PUP blockers identify these pieces of software bundled into your download and stop them before they get onto your device.
Signature-based detection, like most of the detection methods on this list, is another way of comparing the file the antivirus is analyzing against a list of known indicators of compromise (IOCs).
This list can consist of email headlines, known malicious behaviors, file hashes, and a host of other determining factors. The common thread is that the signature of the IOCs associated with the file your antivirus found is compared against similar IOCs to determine if it’s malicious. Your antivirus may return a false positive if your file too closely matches a known malicious program.
There are several ways to tell if a flagged executable is a false alarm or actual malware that you should remove.
Whether you’re comfortable uploading files yourself (careful with this) or would rather wait for your antivirus vendor to analyze the file, you have options. The most important thing when dealing with unknown executables is to neither approve nor delete them until you know more. You could unwittingly release a virus onto your computer or delete an essential function. Let’s look at options for research and reporting.
You can upload any questionable executables to VirusTotal for analysis. This site is a favorite of malware researchers and enthusiasts alike as it not only checks the file for you but also alerts others in the community to what you found.
VirusTotal is only recommended if you’re comfortable quarantining and uploading files or websites and can do so without doing harm to your device.
Your antivirus scanner should automatically quarantine unknown files and send them to researchers for analysis. If this doesn’t happen automatically, you can request the files be quarantined and analyzed.
This method is best for people who don’t feel confident in their ability to detect and research unknowns on their own.
As a compromise between the first two options, a malware database is a good option if you aren’t comfortable uploading the file yourself but don’t want to wait for analysis from your antivirus software.
You can search free sites like Hybrid Analysis for the name of the file your software has detected. You can also use VirusBay, which is a community-based paid service.
A false positive can only be resolved once the research team has proven that it’s not malicious and can’t cause harm. This means they’ll put the sample through exhaustive testing to determine its purpose. Once they decide if it's clean or not, it’ll get loaded into the comparatives library that all files are checked against.
Keeping your antivirus software up-to-date will also keep the comparatives library up-to-date, resulting in fewer false positives.
You can browse your antivirus customer support pages for common false positives. If you’re experiencing a lot of false positives, there should be topics on each company’s support hub that cover how to configure your antivirus to reduce this occurrence.
The internet is an amazing resource. Try typing the name of the file into your favorite search engine and see what the collective hive mind has discovered. Remember to only trust reputable sources like blogs from cybersecurity professionals, antivirus companies, government websites, or university IT department announcements before determining whether you should whitelist or delete a file.
If you’re a little more tech-savvy, you can do an internet search for the properties a file should have then check the properties of the file on your computer.
Right click on the file and select Properties. You can also click Alt + Enter once you’ve highlighted the file.
Select the item on your desktop or in Finder. You can then click Choose File > Get Info or Command + I.
So you’ve done your research and you’re sure the issue you’re seeing is a false positive. You need the program to install and you need this file to get it to work correctly, but your antivirus is still blocking it.
If you feel 100% sure, there are several different approaches you can take to clear the false positive:
While no antivirus or cybersecurity software is infallible, the following products have tested well and had no false positives in the latest AV-TEST results.
We also have a list of the best antivirus products we’ve tested that performed well in third-party tests and in our at-home testing.
Please note this list is subject to change as new threats emerge, source code gets updated, and comparative lists grow.
All-in-one protection for your personal info and privacy
Excellent antivirus protection
Additional features like a file shredder and parental controls
Multiple pop-ups for text notifications can be annoying
Though it’s been around a while, McAfee still offers top-notch protection. We especially like that it comes with parental controls to help you keep your children safe online, as well as extra features like a file shredder.
If you prefer to skip these features, the McAfee Antivirus Basic plan still comes with phishing and ransomware protection.
McAfee had one false positive in May and none in June, per the latest AV-TEST results.[1]
See McAfee Plans | Read Our McAfee Review
Easy-to-install antivirus protection
Secure VPN and password manager included
Parental control features
Multi-tab navigation may be overwhelming at first
Another household name, Norton comes with solid antivirus protection. That includes real-time protection, a firewall, a VPN, cloud storage, and a password manager for all plans. If you'd like to add dark web monitoring and parental controls, you can do that too. You can also bundle your Norton antivirus with LifeLock, one of the best identity theft protection services available.
Norton consistently performs well in third-party testing, and its latest AV-TEST scores showed no false positives.[2]
See Norton Plans | Read Our Norton Review
High level of antivirus protection
Protection from malicious viruses, malware and dangerous websites
User-friendly interface and overall app
Lacks firewall protection
One of our most highly rated antivirus solutions, TotalAV features a friendly setup and scanning experience. We also like that it has a relatively low-cost plan to start with, which isn't always the case with a good antivirus.
All TotalAV plans come with real-time protection, phishing and ransomware attack protection, and performance optimization tools. The Total Security plan also comes with Total Adblock, an efficient and effective ad and tracker blocker, as well as a VPN and a password manager.
TotalAV's latest test results from AV-TEST showed no false positives, making it a great choice for device protection.[3]
See TotalAV Plans | Read Our TotalAV Review
Yes, any antivirus or anti-malware programs meant to protect your computer from malicious executables has the potential to give false positives.
The short answer is you can’t. Because of the nature of antivirus and how it detects malicious content, you can’t eliminate false positives completely.
Keeping your antivirus up-to-date helps reduce the number of false positives you get. If your antivirus keeps flagging a program you know is safe, you can whitelist it with your antivirus provider. Make sure, however, that you are 100% positive the file or program is safe, otherwise you may end up with a virus.
Yes, every antivirus has the potential to report a false positive, and Windows Defender is no different. Microsoft provides a guide on steps to take to address Windows Defender false positives.
There are instances where an executable can be mislabeled as a Trojan. So while a Trojan is definitely a malicious program, there have been instances where legitimate files have been classified as Trojans.
A false positive can be frustrating, especially if it’s preventing the download and execution of a file or program you really need. It’s important to be able to identify and fix false positive reports so you have absolute certainty files are good before allowing them on your device.
Whether you do an internet search or wait for the research team behind your antivirus, researching a file is the best way to avoid an infection. Remember, a false positive is always better than a false negative. If you do end up with an infection, remember there are resources to help you clean up your computer and remove malware before it gets any worse, and you always have the option to switch to one of our recommended best antivirus programs for the highest level of protection.
All-in-one protection for your personal info and privacy
Excellent antivirus protection
Additional features like a file shredder and parental controls
Multiple pop-ups for text notifications can be annoying
[1] Test McAfee Total Protection 1.9 for Windows 10
