VirusTotal lets devs check whether a legit app will wrongly be flagged as malware

Developers who often run into problems with antivirus wrongly detecting their software as malware can now use a new service that checks whether this will occur before releasing their product to the public.

The service, dubbed Monitor, comes from Google parent Alphabet’s VirusTotal, which aims to help all software developers more efficiently deal with occasions when their products are incorrectly detected by antivirus as malware. 

Monitor was created to address instances where legitimate software become a so-called “false positive”, where an antivirus engine detects a harmless file as harmful. 

Google acquired VirusTotal in 2012, but in January the firm became part of Chronicle, the security firm started by Alphabet. The VirusTotal website incorporates around 70 antivirus products and allows the public to check whether any of the products recognize an uploaded file as malicious. 

But where VirusTotal has traditionally helped antivirus vendors detect new malware, VirusTotal Monitor opens a door for software developers who can check whether any antivirus on VirusTotal will wrongly flag their product as malware. 

A key advantage is developers can check this before releasing a product to the public, reducing the chances of the headaches a false positive can cause. 

As Chronicle CTO Will Robinson notes, this often happens when developers update an existing app with new features and software libraries, which may be blocked by antivirus after users install them, clogging up support lines and creating a bad experience for users. 

These incidents can also cause problems antivirus firms that get a bad press for wrongly blocking a legitimate app. 

And as VirusTotal points out, enterprise applications can also be caught up in false positive scenarios, which may harm worker productivity until the problem is resolved.

Monitor allows developers to upload their software to a private cloud store in VirusTotal, which gets scanned immediately and daily by all antivirus vendors. They are given a Google-drive like interface to upload software and view the status of their files with respect to different antivirus products. 

VirusTotal says files are not shared with third-parties, except when a detection occurs, in which case the developer and antivirus vendor are notified and the file is shared with the antivirus vendor in order to fix the problem. 

Another advantage is that software developers don’t need to communicate with 70 different vendors to remediate the false positive. 

But the service is “not a free pass to get any file whitelisted”, VirusTotal notes. Developers may find their software still marked malicious by some vendors, but they will have access to more contextual information about the developer to make a final decision, such as details about the company that made the software and when it was released. 

“The idea is to have a collection of known source software, then each antivirus can decide what kind of trust-based relationship they have with each software publisher,” writes VirusTotal’s Emiliano Martinez.