A false alarm is when an antivirus program says a virus is present when there is no virus. This page covers the different categories of false alarms and what to do about them. The most important thing is to be sure to use the correct update and the latest version of the antivirus program you are using. Also, it's highly recommended to double check with another antivirus, maybe even two or more. If you're still having problems check to see how to send a sample to the antivirus program manufacturers.

Antivirus Program Reports a Virus in Memory

If an antivirus program detects a virus in memory you should boot from a clean disk and scan the hard drive. If no virus is found on the hard drive, then it was a false alarm.

Antivirus Program Reports a Virus in a File

HLL Viruses

These viruses are written in a High Level Language such as Pascal, BASIC or C. Since they consist mostly of "canned code", it is much harder to select a "signature" that won't cause false alarms.

HLLC or HLL.cmp

HLLC or HLL.cmp both mean a High Level Language Companion virus. A companion virus is a virus that takes advantage of a quirk in DOS.

If there is a file called PROGRAM.COM and a file called PROGRAM.EXE in the same directory and you type PROGRAM at the DOS prompt, then PROGRAM.COM will be the file that DOS runs.

Once the virus in PROGRAM.COM runs, then the virus runs PROGRAM.EXE so you don't notice anything.

The file being infected, PROGRAM.EXE, doesn't change, but PROGRAM.COM did not exist until the virus created it. The solution is to simply delete the COM file.

If there really is a companion virus, then the antivirus program will find it in a COM file and there will be an EXE file by the same name in the same directory. Otherwise, it's a false alarm.

HLLO or HLL.ow

HLLO or HLL.ow both mean a High Level Language Overwriting virus. A overwriting virus replaces the host file with itself and doesn't store the original file anywhere. These viruses are very obvious and unlikely to be a threat. If the file the antivirus program says is infected still works, then it is a false alarm. Some antiviruses call Dmsetup worms HLLO.DM_Setup even though they aren't really HLLO viruses.

HLLP

These are High Level Language Parasitic viruses. They modify but don't destroy the original file. HLLP viruses known to be "in the wild" are the HLLP.Krile family, the HLLP.Weed family, and the Win32.HLLP.Detroie(a.k.a Cheval De Troie or Sockets de Troie) family.

Macro Viruses

Word macro viruses are usually preceded by WM.name or WORD.name. If a Word macro virus is detected anywhere except a Word document, then it's probably a false alarm.

Polymorphic Viruses

Polymorphic viruses encrypt their code and generate a random decryptor for each file. Some antivirus programs still use methods that are susceptible to false alarms. If only a single file is reported to be infected or the file reported to be infected is a data file, then it's likely a false alarm. Some polymorphic viruses that sometimes create false alarms are MtE.Encrypted, Virogen.Asexual, Mnemonix, TPE.Bosnia, and Win95/Coke.22231.

SUHDLOG.DAT

This is a backup of the boot sector of the hard drive created when Windows 95 is installed. A boot sector virus is not infectious when it is in a file. If a virus is found in this file, it means that the boot sector was infected before Windows 95 was installed. If this alarm worries you, it is safe to delete this file.

Joke Programs

A joke program is not a virus. For example, a joke program could pretend that it is deleting files, while it is not really doing anything. They are not viruses, but some of them are detected because:
  1. They cause behaviour that cause users to suspect a virus.
  2. Customers send samples and ask why the antivirus doesn't detect it.
  3. Antivirus companies add detection of the joke program to avoid further questions about the joke program.

Antivirus Program Reports a Virus in a Boot Sector

A boot sector is a part of the disk that is not part of any file. A regular boot sector's purpose is to load the operating system. Some security programs, disk managers, or operating systems add additional functionality to the boot sector. Antivirus programs could pick up unusual code in the boot sector and warn about a possible unknown virus. This kind of warning will be like Generic Boot, GenB, Probable Unknown Boot Sector Virus, Bloodhound.MBR, Bloodhound.Boot.String or UAVP_Gosub_Par. The antivirus program manufacturer will be interested in fixing it if it is a false alarm, or adding detection of a new virus. Make sure you are using the latest update. If the latest update doesn't warn about the virus anymore, then it was a false alarm. If it still thinks the boot sector is infected with an unknown virus, then send a sample to the manufacturer. They can either fix the false alarm or add the detection for the new virus.

If you suspect a false alarm:

  1. Make sure you are using the latest virus data files and latest engine.
  2. Check with another antivirus program or two.
  3. If it is a joke program, be aware that some antivirus companies do not add detection of harmless joke programs to their product.
  4. Send a sample to your antivirus company's virus analysis department. You can send a sample to more than one antivirus company, but don't forget to send a sample to the company that you gave the suspected false alarm (Company X can't fix a false alarm in Company Y's product).
  5. Check the Message Forum for information.
  6. E-Mail me if you have any questions or comments.
Virus Page