University of Hertfordshire

The issues of software being classified as malicious by antivirus false positive alerts

Research output: Chapter in Book/Report/Conference proceedingConference contribution

  • Grigorios Fragkos
  • Olga Angelopoulou
  • Konstantinos Xynos
View graph of relations
Original languageEnglish
Title of host publicationEuropean Conference on Information Warfare and Security, ECCWS
Number of pages11
Publication statusPublished - 2013
Event12th European Conference on Information Warfare and Security 2013, ECIW 2013 - Jyvaskyla, Finland
Duration: 11 Jul 201312 Jul 2013


Conference12th European Conference on Information Warfare and Security 2013, ECIW 2013


The continuous development of evolving malware types creates a need to study and understand how antivirus products detect and alert the user. This paper investigates today's antivirus solutions and how their false positive alerts affect the software development and distribution process, which in the long term could even lead to loss of business. It is discussed and demonstrated how antivirus detection deals with bespoke applications and how this can be reversed and manipulated to evade detection, allowing to be used by malicious software developers. The paper also presents ideas that would enable antivirus products to overcome these detection issues without altering their detection engines but by focusing on the developer's source code submission. The potential lack of essential and in most cases obvious steps in malicious software detection is also examined. The paper concludes that the inconsistencies between different antivirus detection engines along with the introduction of reputation based detection, allows more sophisticated and undetectable malicious software to be created and spread.

ID: 9587906