​Windows malware: How to stop your files being wrongly tagged as malicious by Windows Defender ATP

Microsoft details some of the ways Windows Defender ATP analyses files and software.

Microsoft has listed some of the ways that developers can tweak their approach to make sure their programs and files aren't accidentally flagged as malware by its Windows Defender Advanced Threat Protection (ATP) software.

Windows Defender ATP -- the built-in antivirus package used by Windows 10 -- combines layers of machine-learning models, behaviour-based detection algorithms, generics, and heuristics to rapidly investigate suspicious files.

But Microsoft acknowledges that there is a trade off: "Some of our more aggressive classifiers from time to time misclassify normal files as malicious (false positives). While false positives are a very tiny occurrence compared to the large number of malware we correctly identify (true positives) and protect customers from, we are aware of the impact that misclassified files might have," said Michael Johnson of Windows Defender Research in a blog post.

Microsoft said publishing apps to the Microsoft Store is the best way for vendors and developers to ensure their programs are not misclassified, but has also listed a number of other options to stop innocent programs and files being tagged as malware for those reluctant to host their app in its digital store.

One of the most effective ways for developers to reduce the chances of their software being detected as malware is to digitally sign files with a reputable certificate, Microsoft said.

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

This should verify the identity of the software publisher, and help reassure users that the software has not been tampered with. It doesn't mean the software is without flaws, however.

Microsoft uses the reputation of digital certificates to help determine the reputation of files signed by them, and also the reverse, using the reputation of digitally signed files to determine the reputation of the digital certificates they are signed with.

Going a step further, extended validation (EV) code signing requires a more comprehensive identity verification and authentication process for each developer, and also requires the use of hardware to sign applications. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP, even if no prior reputation exists for that file or publisher.

However, if a file gains a poor reputation (by for example, being detected as malware) or if the certificate was stolen and used to sign malware, then all of the files that are signed with that same certificate will inherit the poor reputation, which might also see them tagged as malware.

Microsoft notes: "We thus advise developers to not share certificates between programs or other developers. This advice particularly holds true for programs that incorporate bundling or use advertising or freemium models of monetization. Reputation accrues -- if a software bundler includes components that have poor reputation, the certificate that bundler is signed with gets the poor reputation."

Microsoft also said developers should beware of using file obfuscation, being installed in non-traditional install locations, and using names that don't reflect that purpose of the software -- traits often found in malware. "When programs employ malware-like techniques, they trigger flags in our detection algorithms and greatly increase the chances of false positives."

Another indicator Microsoft uses is the reputation of other programs the file is associated with -- what the program installs, what's installed at the same time as the program, or what's seen on the same machines as the file.

"Not all of these associations directly lead to detections, however, if a program installs other programs or files that have poor reputation, then by association that program gains poor reputation," said Microsoft.

Microsoft also set out the definitions it uses for classifying files:

  • Malicious software: Performs malicious actions on a computer
  • Unwanted software: Exhibits the behaviour of adware, browser modifier, misleading, monitoring tool, or software bundler
  • Potentially unwanted application: Exhibits behaviors that degrade the Windows experience
  • Clean: We trust the file is not malicious, is not inappropriate for an enterprise environment, and does not degrade the Windows experience

READ MORE ON CYBER SECURITY