Microsoft’s Windows Defender is quite a reliable malware protection software used by many Windows users, and the company has successfully botched many malicious cyberattacks using the antivirus’ multilayered defensive techniques in the past.
However, Windows Defender’s more aggressive classifiers sometimes also detect safe files as harmful, which is a problem for users as well as software vendors. In order to minimize these false positives, Microsoft is working with the industry by outlining some techniques that companies should practice to avoid these rare occurrences.
The Redmond giants notes that the safest way for software vendors to avoid false positives is to publish their apps via the Microsoft Store, as “for customers, apps from the Microsoft Store are trusted and Microsoft-verified.”
However, if this is not a viable option, another way is to digitally sign their files with a reputable certificate to assure consumers that the software that they download is in the same state as when the publisher signed it. Furthermore, these certificates should not be shared between programs or other developers, as if it is used to sign malicious files, all files using that certificate will also get a bad reputation.
Microsoft has also told vendors to respect the customer’s ability to choose, and to be transparent with them. The company says that:
Customers should have choice and control over what happens on their devices. Using nontraditional install locations or misleading software names reduce user choice and control.
Obfuscation has legitimate uses, and some forms of obfuscation are not considered malicious. However, many techniques are only employed to evade antivirus detection. Developers should refrain from using non-commercial packers and obfuscation software.
Another thing that Microsoft has pointed out is that software which come with installers which also offer other third-party programs should also be careful. This is important because if the bundled program turns out to be malicious, the harmless file will also get a bad reputation due to association. Lastly, the Redmond-based company has asked developers and publishers to fully understand its malware detection evaluation criteria. That said, even if a false positive is still caught by Windows Defender after following the aforementioned methodologies, vendors are requested to report the problem to the Windows Defender Security Intelligence webpage.