All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
If your antivirus program finished its most recent scan and came up with an unknown program or file, you may have received a false positive. This is a program or file flagged as suspicious when it really isn’t. If you feel the flagged item is safe, there are several ways to confirm whether or not it’s safe to allow the program to run on your computer.
Between your antivirus software's malware research department and your own internet searches, there’s always a way to identify the file. Making sure items your antivirus flags are safe can be the difference between your machine having an infection and one that's running well. Identifying a false positive can be tricky, but there are several methods, including websites like VirusTotal, that can help you figure it out.
Let’s explore your options as well as look at which antivirus programs are best for overall usability.
Antivirus software works by scanning the code of any particular executable and comparing it to a database of other executable programs. An executable, in case you’re wondering, is anything that can execute, or run, on your device.
Sometimes, executables are actual files, but some are fileless malware that works with your computer’s memory rather than the hard drive. Either way, it’s still a process of a code executing in some location on your computer or mobile device.
A false positive occurs when your antivirus software scans executables (or .exe files) and finds a piece of code that is similar to malicious code in its database. This can happen when a sophisticated piece of malware is created to imitate legitimate executables.
False positives can also happen when the compression, protection, and distribution techniques of legitimate and illegitimate programs are similar. This is a very technical way of saying a false positive is a safe file that shares similarities with an unsafe file. Antivirus software uses different types of analysis to classify files, such as heuristics-based, behavioral, and more.
Behavior analysis is when your antivirus software watches how an executable behaves rather than what’s in its source code. This is especially helpful for detecting fileless malware and malicious programs that spoof legitimate programs.
Behavior analysis watches an executable to see if it’s acting unusual. If the executable tries to plant itself in a location where similar executables aren’t located, replicates quickly, or starts accessing files it has no business accessing, your antivirus may flag it as a virus.
This type of antivirus tool is similar to behavioral analysis in that it examines commands and instructions. Based on established rules, it then weighs the severity of the damage that could be done.
Essentially, this means that the heuristics-based detection tool studies the executable and determines how catastrophic it could be if it were malicious. Depending on the settings of your antivirus software, it may alert you or quarantine the file for further inspection.
A potentially unwanted program (PUP) is any program downloaded onto your machine that your antivirus software recognizes as something that you may not want. Often, these programs are bundled with downloads you do want and can be anything from advertising software to marketing trackers.
These programs can slow down your computer, collect your data, and feed you a slew of unwanted ads. PUP blockers identify these pieces of software bundled into your download and stop them before they get onto your device.
Popular PUPs include:
Signature-based detection, like most of the detection methods on this list, is another way of comparing the file the antivirus is analyzing against a list of known indicators of compromise (IOCs).
This list can consist of email headlines, known malicious behaviors, file hashes, and a host of other determining factors. The common thread is that the signature of the IOCs associated with the file your antivirus found is compared against similar IOCs to determine if it’s malicious. Your antivirus may return a false positive if your file too closely matches a known malicious program.
There are several ways to tell if a flagged executable is a false alarm or actual malware that you should remove.
Whether you’re comfortable uploading files yourself (careful with this) or would rather wait for your antivirus vendor to analyze the file, you have options. The most important step when dealing with unknown executables is to neither approve nor delete them until you know more. You could unwittingly release a virus onto your computer or delete an essential function. Let’s look at options for research and reporting.
You can upload any questionable executables to VirusTotal for analysis. This site is a favorite of malware researchers and enthusiasts alike as it not only checks the file for you but also alerts others in the community to what you found.
VirusTotal is only recommended if you’re comfortable quarantining and uploading files or websites and can do so without doing harm to your device.
Your antivirus scanner should automatically quarantine unknown files and send them to researchers for analysis. If this doesn’t happen automatically, you can request the files be quarantined and analyzed.
This method is best for people who are unsure of their ability to detect and research unknowns independently.
A malware database is a compromise between the first two options. It's a good option if you aren’t comfortable uploading the file yourself but don’t want to wait for analysis from your antivirus software.
You can search free sites like Hybrid Analysis for the name of the file your software has detected. You can also use VirusBay, which is a community-based paid service.
A false positive can only be resolved once the research team has proven that it’s not malicious and can’t cause harm. This means they’ll put the sample through exhaustive testing to determine its purpose. Once they decide if it's clean or not, it’ll be loaded into the comparatives library that all files are checked against.
Keeping your antivirus software up-to-date will also keep the comparatives library up-to-date, resulting in fewer false positives.
You can browse your antivirus customer support pages for common false positives. If you’re experiencing a lot of false positives, there should be topics on each company’s support hub that cover how to configure your antivirus to reduce this occurrence.
The internet is an amazing resource. Try typing the file name into your favorite search engine and see what the collective hive mind has discovered. Remember to only trust reputable sources, such as blogs from cybersecurity professionals, antivirus companies, government websites, or university IT department announcements, before determining whether you should whitelist or delete a file.
If you’re a little more tech-savvy, you can do an internet search for the properties a file should have, then check the properties of the file on your computer.
So you’ve done your research and you’re sure the issue you’re seeing is a false positive. You need the program to install and you need this file to get it to work correctly, but your antivirus is still blocking it.
If you feel 100% sure, there are several different approaches you can take to clear the false positive:
While no antivirus or cybersecurity software is infallible, the following products have perfect usability scores according to AV-TEST, a series of tests conducted by an independent IT security company. AV-TEST focuses on three main categories: protection, performance, and usability.
As of July/August 2024, the industry standard for false detections of legitimate software as malware during a system scan is 14. Other common false positives include blockages or warnings of certain actions while installing and using legitimate software or when visiting websites.
McAfee still offers top-notch protection and only had one false positive in July 2024, per the latest AV-TEST results.[1]
Norton consistently performs well in third-party testing, and its latest AV-TEST scores showed only a single false detection of legitimate software as malware during a system scan in August 2024.[2]
TotalAV, another popular antivirus solution, showed no false positives in the AV-TEST, making it a great choice for device protection.[3]
| Antivirus | 
|
|
|
| Star rating | |||
| Price | $29.00–$49.00/yr (first year only) | $29.99–$249.99/yr | $29.99–$99.99/first yr |
| # of devices protected | 4 - 8 | Unlimited | 1 - 10 |
| Malware scans | Manual and scheduled | Manual and scheduled | Manual and scheduled |
| Real-time protection | |||
| EICAR test results | 2/3 | 3/3 | 3/3 |
| Firewall | |||
| Phishing protection | |||
| Compatibility | Windows, Mac, Android, iOS, Chrome, Edge, Opera, Safari | Windows, Mac, Android, iOS, Chrome, Firefox, Safari, Edge | Windows, Mac, Android, iOS |
| Extras | Password manager, ad blocker, VPN | Parental controls, performance optimization tools, VPN | Password manager, VPN, dark web monitoring, parental controls, privacy monitor, identity theft protection, cloud backup |
| 24/7 customer support | |||
| Learn more | Get TotalAV | Get McAfee | Get Norton 360 |
Yes, any antivirus or anti-malware programs meant to protect your computer from malicious executables has the potential to give false positives.
The short answer is you can’t. Because of the nature of antivirus and how it detects malicious content, you can’t eliminate false positives completely. Keeping your antivirus up-to-date helps reduce the number of false positives you get. If your antivirus keeps flagging a program you know is safe, you can whitelist it with your antivirus provider. Make sure, however, that you are 100% positive the file or program is safe; otherwise, you may end up with a virus.
Yes, every antivirus has the potential to report a false positive, and Windows Defender is no different. Microsoft provides a guide on steps to take to address these false positives.
An executable can sometimes be mislabeled as a Trojan. While a Trojan is definitely a malicious program, legitimate files have also been classified as Trojans.
A false positive can be frustrating, especially if it prevents the download and execution of a file or program you really need. It’s important to be able to identify and fix false positive reports so you can be absolutely certain that files are good before allowing them on your device.
Whether you do an internet search or wait for the research team behind your antivirus, researching a file is the best way to avoid an infection. Remember, a false positive is always better than a false negative. If you do end up with an infection, remember there are resources to help you clean up your computer and remove malware before it gets any worse.
You always have the option to switch to one of our recommended best antivirus programs for the highest level of protection.
Real-time protection from viruses, malware, and online threats
Blocks tracking cookies and ads, proactively monitors for data breaches, and option to schedule smart scans
100% compatible with Windows, Mac, Android, and iOS operating systems on up to 3 devices
[1] Test McAfee Total Protection 1.18 for Windows 10
