Microsoft steps up in industry efforts on mitigating false positives

Antimalware vendors write signatures so that their corresponding products can detect and take action on malicious files. Every once in a while, a signature also detects a clean file – a file that doesn’t do anything malicious at all. The antimalware industry calls this a “false positive”, also referred to as an “incorrect detection”. It’s not pretty when an application or program is flagged as a false positive – users can’t run the program, customer support for that program gets deluged with calls, and the detecting antimalware/s gets a reputation hit. We, like other antimalware vendors, continuously try and make an effort to minimize the chances of us, partners, and our customers getting a false positive both as a software development company, and as a provider of antimalware solutions.

As part of this effort, we have been working closely with our partner VirusTotal - a well-known, reputable and industry-vetted online security portal where antimalware and security industry researchers, law enforcement organizations and customers can submit files and check for the presence of malicious code.

The result of this collaboration is something really exciting: VirusTotal has announced and released a new feature, called “Trusted source”. This feature communicates to the user with utmost confidence that a file can be trusted if it falls under a “Trusted source” criteria. And the first “Trusted source” feeding into this effort, we’re proud to say, is Microsoft via our Microsoft Clean-File MetaData. Now, if a user uploads a file to VirusTotal, and VirusTotal sees that the file metadata is part of Microsoft Clean-File Metadata, then VirusTotal returns this:

This can also be seen in the Additional Information tab as well:

This feature is now live for everyone to use.

The other use of this feature is that any time an antimalware solution detects a file marked as coming from a trusted source, such as Microsoft, VirusTotal informs the antimalware provider, shortening the time frame for the antimalware provider to address the problem.

With that said, we see that this feature is and will be of huge value to the industry, as well as to Microsoft customers, and there will be further improvements on this effort that can be expected as a result of our continuous collaboration with VirusTotal and the industry. We encourage other software development companies to participate in VirusTotal’s initiative.

Ivan Macalintal

Comments (8)

  1. Yoshihiro Kawabata says:

    Can I know which file in Windows 8.1 show "Trusted source!" ?
    I want to try this function.

  2. anonymous reversed says:

    Plz do, take all the time you need. I got all night

  3. @yoshi says:

    Wanna try it? Skip the file. I got physical address and vrp backstage passes to "File Creator in need" explicit version

  4. sue unifair says:

    Resulting in ???? Did you mean irregardlessly? I see what's good for the goose, but is it not good for gandolph?

  5. How about ramping up the efforts to detect true positives like:
    799c25b13eb3396137eab8a96178df00fc4eebf5edde3e8c1d26fee511ee7977 20120.dll.bin
    3919059a1e0d38d6116f24945b0bb2aa5e98b85ac688b3aba270d7997bb64a0d 20121.dll.bin
    8c4c21eabc62172de39021cfe9460466898f8b6f4b3cf96b2bbe1d387e155dc1 20123.sys.bin

  6. Neddy says:

    Does that mean that the files are NSA-approved also?

  7. Robert Scroggins says:

    This is an important endeavor to improve the effectiveness of antivirus software, and Microsoft is leading the way. Don't belittle it!


  8. adwbust says:

    i believe false negatives (undetected) are more common nowadays than false positives. some av corps are even confused or differing on how to classify threats due to the greyness trend of today's threats. there should be a universal body that sets criteria
    on classification of threats to check and balance adspy/hijack/bundle/promo/sponsor/share/crap/trial-ware. there should be a built-in eulalyzer on windows 10. 😀 if there are red flags in eula then windows will suggest user discontinue install. maybe inform
    user of red flags and ask if he allows additional installation of baggage or modification of system (like browser). if eula doesn't specify nefarious activities that's ground for detection (and suing by user).

Skip to main content