Google today announced “trusted source,” a project to address the problem of false positives in the antivirus industry. The company has already started working with Microsoft to help minimize the issue on Windows.
The aim is simple: to have software developers share the files in their catalog for whitelisting. Vendors can then be contacted when their antivirus solution mistakenly detects these files.
False positives occur when an antivirus program marks a legitimate file as malware. When one flags a key operating system, this can lead to computers locking up, crashing, or even failing to boot up. Google lists in more detail what false positives can lead to:
- Software developers may face strong business impact as a large portion of their users see their programs rendered unusable.
- Support teams for the affected programs may be suddenly overwhelmed by user emails claiming that the given software is not working correctly.
- End-users may be unable to interact with important software and see themselves unable to finish critical tasks.
- Antivirus vendors’ reputation may be severely hindered.
The “trusted source” project comes from VirusTotal, an online scanning service Google acquired in September 2012 with the promise that it would continue to operate independently. To those who consider Google and Microsoft to be archenemies, the “operate independently” clause should help explain why VirusTotal chose to start its project with help from Microsoft:
We have been working on this for just one week and with just one company, Microsoft, yet results look very promising: over 6000 false positives have been fixed. We would like to extend a big thank you to the Microsoft team for sharing metadata about its software collection and to the antivirus industry as a whole for the false positives remediation.
In other words, Microsoft was more than eager to help fight false positives, which often lead to antivirus and other security software attacking Windows files rather than malware. Now, VirusTotal will mark safe files at the top of its reports.
Here is an example (notice the green background, smiley face, and “Trusted source!” label):
The goal is for the antivirus vendor to correct the false positive before it can cause any (or further) damage. Mistaken detections are also dropped from the positives count and degraded to the bottom of the report. This ensures false positives do not mislead users looking at the report.
False positives hurt not just the antivirus industry but the software industry in general, and they are difficult to avoid because antivirus vendors are increasingly required to be more proactive via technologies such as generic signatures and heuristic flags. This is a great initiative on Google’s part, and one it’s looking to expand to other large software development companies.
Since Google’s acquisition, VirusTotal has also released an OS X client. Apple would be the next logical tech giant for VirusTotal to work with, but given its track record, we’re not holding our breath.