False Positives and False Negatives – CompTIA Security+ SY0-401: 2.1


As you build your security strategy, you’ll need to manage the inevitable false positives and false negatives. In this video, you’ll learn about false positives and false negatives and how to handle them in your environment.

<< Previous Video: Control TypesNext: Reducing Risk with Security Policies >>


If you’re working with antivirus software, anti-malware software, or intrusion prevention systems, you may run into cases where you might get a false positive or a false negative. Let’s look at both of these situations, and see how we can resolve these particular issues.

A false positive is when you receive an alert from a security device that’s telling you that there was a problem. The issue with this, is that the security device is actually incorrect. This is a positive, but it’s a false positive– which means there wasn’t really a problem to begin with.

If you’re getting a message from an intrusion detection system or intrusion prevention system, these alerts are usually based on signatures. A piece of information has gone through the IPS that matches a signature, and it’s informing you that there was a match to that. And generally, we have to rely on these signatures, so you always want to be sure that you’re updating to the latest signatures so that a lot of these false positives might not occur.

These false positives can also occur with antivirus or anti-malware software. For instance, in April 2010, McAfee Virus Scan thought that the Windows system program svchost.exe was a virus. Well, that was certainly a false positive– that is an integral part of the Windows XP Operating System. And so, it removed that file, which meant that all Windows XP SP3 devices could not boot. You had to correct that before you rebooted the machine, or once it was rebooted, you had to go through recovery process.

In October of 2011, Microsoft Security Essentials thought that the Chrome Browser was a piece of malware called Zbot, and it deleted the entire browser. So you would try to load the Chrome browser onto your machine, and it would simply be deleted because of the false positive associated with this inside of Microsoft Security Essentials.

If you’re trying to determine if something is really a false positive or not, you might want to get a second opinion. A good choice is the now Google-owned, virustotal.com– where you can point to a particular file on the internet or upload your own files, and see what the results might be in many different types of security software.

This is the virustotal.com website, and I’ve chosen to upload a file called GPpdate that I received in my email. I suspect the virus writer was trying to get me to run this, thinking it was GPUpdate, for the Group Policy Update inside of Microsoft Windows. Let’s choose to scan that file, It’s going to be uploaded, and this file has been seen before by VirusTotal. But I’m going to ask to re-analyze this file so that we’re able to see the process that goes through.

Behind the scenes, VirusTotal has a lot of different antivirus software that it’s going to run against this particular file. So it gives us the name of the file, and it tells us how many different antivirus and anti-malware software is going to detect this particular file as being malicious or being benign. And you can see so far, only one out of the 27 or one out of 36 that have been checked, is showing up as malicious software. Looks like we’ve got two now out of 54.

So as it goes through the scan, you can see the different software like Avast!, and you’ve got Doctor Web, and F-Secure, and Fortinet, and Kaspersky. You’ve got a lot of different software that you can choose from, but only 2 out of that 54 recognized this particular file as being something malicious.

You can also get more details on these files. It’ll even run through different types of Heuristics. For instance, F-Secure found that this was indeed suspicious and Symantec also categorizes this as suspicious. It doesn’t have an exact match for this particular file, but it does notice that this file is doing things that it should not be doing, so it generically categorizes this. This gives you at least some idea if you receive a false positive on whether a file might be something that is malicious, or whether it’s something that’s not going to harm any of your computers.

The opposite of a false positive is a false negative. That means that you did not receive any alerts, no bells went off, there were no sirens, but something bad actually did get through your security systems. This got right through your defenses, and it’s difficult now to go back to determine if there was a false negative or not, because there’s no way to really rewind and know exactly where this might have come into your network.

This is completely silent, so if you had to reconstruct how a piece of malware got into your environment, it becomes a lot more difficult. You want to be sure to check the industry test for hits or misses. Generally, antivirus software, intrusion prevention software and hardware, goes through a number of industry tests where certain files are sent through. And then you can examine how many of them were identified, how many of them had false positives, and how many of them were missed completely they can then be categorized as a false negative.