Microsoft has shared a blog post which talks about Windows Defender ATP and the false positives. The company shared the working on ATP and how it labels a file as suspicious. That said, even the best systems fail at times and Microsoft acknowledged the same.
The company shed light on the false positive issue which basically means labelling a genuine software/program as a virus. Usually, this poses a security issue as people don’t know if they can trust a software after it has been flagged by the Anti-virus. Microsoft said that they have compiled a list which can be followed by vendors to ensure they aren’t marked as false positives. Microsoft also noted that the best way to avoid false positives is to publish apps on the Microsoft Store as it scans for viruses or malware before publishing the app for the users.
Avoiding false positives is a two-way street between security vendors and developers. Publishing apps to the Microsoft Store is the best way for vendors and developers to ensure their programs are not misclassified. For customers, apps from the Microsoft Store are trusted and Microsoft-verified.
The first method to prevent a false positive is to ensure the software is digitally signed. This will allow the antivirus to identify the publisher and hence it won’t be marked as a false positive.
By verifying the identity of the software publisher, a signature assures customers that they know who provided the software they’re installing or running. Digital signatures also assure customers that the software they received is in the same condition as when the publisher signed it and the software has not been tampered with.
Microsoft also talked about Extended Validation (EV) code signing which is an advanced version of the digital certificate. This ensures that the antivirus or security program knows that the software is not tampered with and is published by a known publisher.
Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. This process requires a more comprehensive identity verification and authentication process for each developer. The EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of code signing certificates. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP even if no prior reputation exists for that file or publisher.
Next up, Microsoft talked about the reputation of the digital signatures. When developers sign the files, they do it for all the softwares and their assets. However, if one of those files is flagged as a malware, it will give a poor rating to all the files with the same signature. To prevent this, Microsoft recommends that developers sign files carefully and keep up a good reputation.
To gain positive reputation on multiple programs and files, developers sign files with a digital certificate with positive reputation. However, if one of the files gains poor reputation (e.g., detected as malware) or if the certificate was stolen and used to sign malware, then all of the files that are signed with that certificate will inherit the poor reputation.
We thus advise developers to not share certificates between programs or other developers. This advice particularly holds true for programs that incorporate bundling or use advertising or freemium models of monetization.
Moving forward Microsoft sheds light on the importance of transparency. The antivirus algorithm works by identifying suspicious behaviours like using misleading software names and nontraditional install locations. These behaviours will trigger the algorithm and the software will be marked as a malware.
Another false positive trigger is the use of files or softwares with poor reputations inside another software. For instance, if a software installs additional resources or files which might carry poor reputation then the whole software will be flagged by the antivirus and will trigger a false positive.
Another indicator that can influence the reputation of a file are the other programs the file is associated with. This association can come from what the program installs, what is installed at the same time as the program, or what is seen on the same machines as the file. Not all of these associations directly lead to detections, however, if a program installs other programs or files that have poor reputation, then by association that program gains poor reputation.
Apart from following these methods, Microsoft also detailed the detection criteria. You can head below to take a look at it.
- Malicious software: Performs malicious actions on a computer
- Unwanted software: Exhibits the behavior of adware, browser modifier, misleading, monitoring tool, or software bundler
- Potentially unwanted application (PUA): Exhibits behaviors that degrade the Windows experience
- Clean: We trust the file is not malicious, is not inappropriate for an enterprise environment, and does not degrade the Windows experience
Lastly, if a developer follows the listed methods and still gets flagged by Windows Defender then they can submit a report through the Windows Defender Security Intelligence portal.