Virustotal’s Trusted Source project attempts to limit false positives

Whenever I discover a new program I scan it first on the Virustotal website before running it on a local test system.

This initial virus check helps me determine whether an application is (likely) legitimate or not. It happens that one or some of the antivirus engines used by the service to scan files may return hits.

These hits are often false positives, especially if lesser known antivirus engines report them. There is still a level of uncertainty about those files.

False positives can have severe consequences. Think of a local antivirus solution that identifies core operating system files as a virus. It happened in the past that entire systems became unusable after false positives were detected by security software.

Virustotal, which is owned by Google, announced yesterday that it launched a Trusted Source project to reduce the number of false positive scans.

The general idea behind the project is to whitelist files maintained by major software companies such as Microsoft.

If one of the antivirus engines used during the scan reports a verified file as malicious, its parent company is informed about the fact in hopes that the issue is corrected shortly thereafter. In addition, trusted source files are specifically tagged when distributed to antivirus companies to avoid false positive detections as well.

Virustotal has modified the header on results pages to integrate trusted source information.

The main changes on the page are the new "trusted source" line that identifies the file as verified and the fact that the detection ratio shows 0 hits even though there may be some.

If you check this results page on Virustotal for instance and scroll down, you will see that the file has been reported as malicious by several antivirus engines. The detection ratio at the top on the other hand lists 0 hits.

Currently, only Microsoft files are listed as trusted sources. Virustotal plans to collaborate with other large software development companies to add their files to the trusted source catalog as well. The company did not define what it considers large but it stated that it won't accept applications from vendors who produce adware or potentially unwanted software.

Verdict

The trusted source project won't eliminate false positives completely, at least not in the first project state. It may however improve the reaction time of companies when their systems are detecting legitimate files as malicious.

It still comes down to individual vendors though. The user experience on the other hand is improved as trusted source file scans should no longer cause doubts about a file's legitimacy if false positives are detected.

This in fact could be a great opportunity for Nir Sofer to get all Nirsoft applications verified.