What is a false positive in security scanning?

A false positive is when a security scanner flags a file, URL, or email as malicious when it is actually safe. The opposite — a false negative — is when something genuinely malicious is marked clean. Every scanner faces a trade-off between these two: tuning for fewer false positives risks more false negatives, and vice versa. Heuristic and behavioural engines, which try to detect threats they have not seen before, inevitably produce more false positives than pure signature matching.

Why do antivirus programs flag legitimate files?

Several common reasons. The file may have been compiled with a packer or installer framework that malware authors also use. It may contain code patterns — keyboard hooking, process injection, privilege elevation — that are legitimate in certain tools but strongly correlated with malware. The file may be newly released and lack reputation history, causing reputation-based engines to be conservative. Or the file may simply share a hash with an unrelated malicious sample due to bugs in a specific engine's signature database.

How do I verify if a detection is a false positive?

Four checks. First, look at how many independent engines flagged the file — a single engine out of many is much more likely to be a false positive than a majority verdict. Second, check the digital signature — legitimate software from a known publisher usually has a valid code signature. Third, download the file from the publisher's official URL directly and compare the hash. Fourth, wait 24-48 hours and rescan — signature databases update frequently and genuine false positives often clear within days.

Should I ignore a false positive?

Only after verifying it really is a false positive. A single-engine detection on a signed file from a known publisher, downloaded from the publisher's official site, is almost always safe to allow. Multiple detections, or a detection on a file from an unknown source, is not a false positive you should override. When you do allow a flagged file, use your security software's specific exclusion mechanism rather than turning off protection entirely.

When Security Scanners Get It Wrong: Understanding False Positives

Published: 19 April 2026 • 9 min read • By ScanTotal Security Team

Last reviewed: 4 May 2026 by Kumari Rajapaksha — Founder, ScanTotal

You scan a file you know is legitimate — maybe an installer for a tool you've used for years — and the scanner flags it. Maybe two engines out of seventy say "threat detected." Maybe one says "suspicious behaviour" in vague terms. You know the file is fine. But now you're uncertain enough to second-guess it.

That uncertainty is healthy. A good scan report is meant to make you pause, and a real detection should feel alarming. But sometimes scanners are wrong — and understanding when and why they're wrong is what lets you act on real alerts without living in perpetual over-reaction.

This post is the companion piece to How to Read a Security Scan Report. That post covered what detection counts and verdicts mean. This one covers what to do when the verdict looks wrong.

What a false positive actually is

A false positive is a clean file, URL, or message that a scanner incorrectly flags as malicious. The opposite — a false negative — is a genuine threat that slips past undetected. Every scanner faces a trade-off between these two, because the signals that catch unknown malware (unusual API calls, suspicious code patterns, weird network behaviour) are also present in plenty of legitimate software.

If a scanner tunes itself to never miss a threat, it ends up flagging lots of perfectly fine files. If it tunes itself to never flag a clean file, threats slip through. The sweet spot is somewhere in the middle, and different vendors pick slightly different points on that curve depending on their customers and philosophy.

False positives aren't a sign of a broken scanner. They're a normal consequence of the mathematics of detection: the more aggressively you look for novel threats, the more legitimate files you'll catch by accident. The good scanners minimise false positives aggressively; none eliminate them.

Why false positives happen

1. Shared tooling with malware

Malware authors use the same compilers, packers, and installer frameworks as legitimate developers. When a security engine flags a specific packer or installer format, every file using that packer becomes suspicious by association. Game anti-cheat tools, DRM-protected installers, and compressed executables are frequent casualties.

2. Overlapping code patterns

Heuristic engines look at what a program does or could do. Hooking keyboard input, injecting into another process, modifying system files, hiding its own window — all of these are textbook malware behaviours. They're also exactly what legitimate accessibility software, productivity tools, remote administration software, and parental controls need to do. A well-written parental-control app can trip half a dozen malware signatures purely on architecture.

3. New releases with no reputation

Many scanners weight their verdict by how long a file has been seen in the wild and how many other users have encountered it. A brand-new release of a small-publisher tool has zero history. Several engines will report "unknown, possibly suspicious" for the first few days, and that reads as a detection even when nothing is actually wrong. This is particularly common with indie developer tools, niche open-source software, and newly-signed installers.

4. Developer-signed binaries without widespread distribution

A legitimately code-signed binary from a small developer — think a Python developer shipping a compiled utility — looks structurally identical to malware that steals a certificate. Until the certificate and publisher build up trust, every binary they ship gets extra scrutiny.

5. Shared hosting reputation

For URLs, the biggest source of false positives is shared infrastructure. If a phishing site gets hosted on a major CDN, the CDN's IP addresses can temporarily carry threat reputation. Every other site on that IP — entirely unrelated — can show up as "served from an IP associated with malicious activity" until the database catches up.

6. Cache staleness

Detection databases update constantly, but they don't update instantly everywhere. A URL that was briefly compromised, cleaned up, and now safe might still be flagged for hours or days until the cache refreshes. Conversely, a URL that was clean and is now compromised might not be flagged for a similar window.

How to verify a detection in four steps

1Look at the engine count

If you're using a multi-engine service, how many engines fired? One or two out of sixty is very different from twenty out of sixty. A lone-wolf detection — especially from an engine you've not heard of — is the single strongest signal that you're looking at a false positive. Most of the well-established engines (kept intentionally unnamed here because this applies across vendors) share core signature data, so when most of them agree a file is clean, they're usually right.

2Check the digital signature

On Windows, right-click the file, Properties → Digital Signatures. On macOS, codesign -dv --verbose=4 /path/to/app in Terminal. On Linux, check package signatures against the distribution's keyring.

A valid signature from a known publisher that matches the distributor you downloaded from is a strong legitimacy signal. An expired certificate, a mismatched name, or no signature at all changes the picture.

3Download again from the official source

Go to the publisher's actual website (typed by hand, not clicked from search results) and download the file fresh. Compare the SHA-256 hash against what you have and, ideally, against a hash the publisher publishes alongside the download.

This catches two things: tampered downloads (which were legitimately flagged) and download-mirror corruption (which produced an accidental "bad hash" match). If the fresh hash matches and the publisher's page confirms it's the intended build, you have a file that's almost certainly what it claims to be.

4Wait and rescan

Detection databases update multiple times a day. A false positive on a new release often clears within 24-48 hours as vendors either confirm the detection was correct (rare, when other signals check out) or update their rules. Rescanning a day later is free and informative. If a single-engine detection remains for a week on a file that's otherwise verified, the detection is almost certainly wrong and can be reported to the vendor.

When a "false positive" is actually real

The trap to avoid is labelling every detection you don't like as a false positive. Some patterns should make you pause before assuming the scanner is wrong:

The file came from an unexpected place. A legitimate Adobe installer downloaded from adobe.com and flagged by one engine is plausibly a false positive. The same installer downloaded from a torrent, forum attachment, or "cracked software" archive and flagged by one engine is very likely the real thing — because that distribution channel is exactly where trojanised legitimate installers circulate.
The file behaves strangely after you run it. High CPU when idle, unexpected network connections, new processes you didn't start, files being written in odd locations. Those are runtime signals, and they outweigh anything the scanner said before you ran the file.
Multiple independent engines agree. Three or more engines from different vendors saying "trojan, banker, info-stealer" is not random. It's a consensus, and consensus detections should be treated as real until proven otherwise.
The detection is specific. "Generic.Heuristic.1234" is a heuristic signal — it can absolutely be wrong. "Trojan:Win32/Qakbot.PA!MTB" names a specific malware family and variant; detections that specific are rarely mistaken.

For URLs specifically

URL false positives follow slightly different rules. Reputation databases categorise entire hosts, CDN buckets, or hosting ranges, so an innocent site can inherit a bad reputation from a noisy neighbour. If a URL you trust is flagged:

Check whether the detection is for the specific URL or the parent domain. A lookup that flags example.com because a bad subdomain existed months ago is different from one flagging your exact path today.
Look at the active-probe signal if your scanner has one. Reputation is retrospective; a live probe tells you what the site is actually serving right now.
Try the URL through a different reputation service. If one flags and the others don't, you've got the URL equivalent of a lone-wolf detection.

What to do about confirmed false positives

If you've verified the file is legitimate through the checks above, you have three reasonable responses:

Allow it locally. Use your antivirus's specific exclusion mechanism to whitelist the exact file or publisher. Don't disable protection entirely — that creates a much bigger risk than the false positive itself.
Report it to the vendor. Every major security vendor has a false-positive submission form. Legitimate reports with a clear case (signed file, public download link, hash) are usually processed within a few days, and the fix benefits every other user of that scanner.
Check back in a week. If you hit a false positive during a new-release window, rescanning a week later often shows the detection has cleared as the file's reputation builds.

The respectful reality

Security vendors that use heuristic and behavioural detection occasionally get it wrong. This isn't a failure — it's the unavoidable cost of catching threats that haven't been seen before. A scanner that never produces a false positive is a scanner that only catches known malware, and that's a narrow defence against a world where new malware appears by the minute.

The goal isn't to find a scanner that never misfires. It's to use scanners thoughtfully — multiple engines, verified downloads, independent second opinions, a pause before you panic or before you override. When you do that, false positives stop being a problem and become a small tax you pay in exchange for a genuinely useful defence.

That's the same tax professional security teams pay every day. They tune, they verify, they report, and they move on. It's a sign of a defence doing its job, not failing at it.

Get a second opinion on a suspicious result

Scan the same file or URL through ScanTotal for a layered, independent check.

Open Scanner