Sense with Cents

If I had a nickel for every time a security program falsely flagged our software as a threat, I’d be buried in nickels. And those are just the ones I know about. For every false positive that reaches me, there are likely many more where a potential customer never wrote in at all. I am not raising this as a complaint. I am sharing with you what I have observed across forty years of small-software development. The email comes in — “Your installer is a virus,” or “The antivirus quarantined the program,” or “My IT guy says you’re malware.” Sometimes there is no email at all, just a customer trying to open a program that no longer opens, because the security software has quietly deleted it. And sometimes there is no email even after that — the customer simply moves on, assuming Medlin did something wrong, never knowing that a third party broke their software for them. They are doing what they were told to do: trust the security software. None of this is their fault.

The story almost always ends the same way once we walk through it. The file is fine. The program is the same one they have used for years. What changed was a definition update at the antivirus vendor. Something in there decided that a small Windows program from a small developer looked suspicious. So it got flagged. And the customer got a scare.

One thing worth getting on the record before going further. Jerry Medlin started writing this software in the late 1970s — for his own use first, and to share with friends and colleagues. Medlin Software’s first commercial sale was in 1984. The first commercial antivirus products did not exist until 1987. So however you measure it — from the original code or from the first paying customer — Medlin predates the entire commercial antivirus industry. We are older than McAfee. We are older than Norton AntiVirus. When one of these vendors decides our software looks suspicious, it is the new kid on the block flagging the old-timer as unfamiliar. We were here first. We will probably be here last too, the way some of these AV companies keep getting bought, broken, and rebranded.

This was bad before heuristics — which is wild-guessing, if you have not heard the term used in polite company — and it is almost untenable now. The signature-matching era at least had the decency to be wrong about a specific named thing. Now the security software does not know what it is looking at, just that it is unfamiliar, and unfamiliar is treated as guilty until proven otherwise. The smaller the developer, the more unfamiliar, the more often you get flagged.

Here is the not-so-secret secret. Antivirus can only properly catch what is already in the wild. By the time a threat has a signature, somebody already got hit with it. AV is a bandage after the fact. The vendors know this, which is why they layered guessing on top — the heuristics, the behavior detection, the “we noticed something unusual” warnings. The guessing is less than half accurate.

And here is the part that bothers me most. Antivirus companies make money by being wrong. A false positive gives the customer the illusion they are protected — the software found something, surely it is doing its job — even though the customer then has to disable or bypass the very security they are paying for in order to install or run software they trust. The wrong answer feels like the right answer. The customer renews next year. The cycle continues.

Here is the tell. The classic advice when installing legitimate software has long been: “temporarily disable your antivirus while you install this.” Read that sentence again. The thing you are paying to protect you needs to be turned off so you can use the computer for its intended purpose. Then turned back on. Assuming you remember to turn it back on. If a security product’s own users are routinely told to disable it to do normal work, that is not protection — that is theater with the customer paying admission.

The one shining star in this picture, in my experience, is the security software built into Windows itself. Microsoft Defender. Not over-aggressive. Few false positives. Quietly competent. It is not perfect, but it is the only one I can recommend without grimacing.

It is worth thinking about why. Microsoft owns the operating system. When Windows machines get infected, Microsoft pays a price for it — in reputation, in support resources, in the perception that Windows is the unsafe choice. Those costs land on Microsoft regardless of which third-party antivirus was supposed to be standing guard. So Microsoft has the rare incentive in this industry: properly protecting you means you do not have to call or write them, and the platform keeps its good name. That is great motivation. Compare it to a third-party AV vendor whose business model rewards visible activity — warnings, scans, scares, renewals. The incentives point in different directions, and you can feel the difference in how the two products behave.

The same principle operates on a much smaller scale here at Medlin. Every support question I get, I think about how to make sure no one ever has to ask it again. A clearer message in the program. Better wording in the help text. A tweak to how the software behaves at the moment of confusion. The next person who lands in that same spot does not need to write to me — the program just works. No extra charge support, since 1984. Preventing the next question is a big part of why I am able to offer it that way and keep doing it. The customer wins twice: a program that does not need help, and free help when it does. The save-money-by-being-good motivator can be more powerful than the earn-money one. It is certainly more honest.

Pair Defender with what used to be called “safe hex” — do not open unexpected attachments, watch where you click, do not install software from places you have never heard of. Old-timers will catch the wordplay; younger readers may need a minute. Either way, safe hex plus Defender will protect you better than most of the expensive third-party suites people pay for. Because you will not be turning your security off to install things, and forgetting to turn it back on.

A note for the programmers reading, and this is not a secret — most coders know it, and the bad actors definitely know it. Changing one letter in your source code from upper case to lower case can sometimes be enough to fool security software completely. The compiled binary is materially the same program doing the same thing. The hash is different, and the detection loses the trail. I have seen it work. I have done it. It is one of the ways we get past stretches when one antivirus vendor decides to start picking on Medlin. Think about what that says about the protection. If a one-character source edit defeats it, what is it actually catching?

For a time, small developers got penalized for writing efficient code. Lean, clean executables looked suspicious next to the bloated installers from large software companies. Smaller meant less familiar, less familiar meant guilty. Some compilers literally included a function to pad the final executable to a larger size, so the app would look less like trouble. The detection was punishing efficiency.

Here is another one most people do not know. Developers can submit apps to AV vendors when their software gets flagged as a false positive. The process varies. Most vendors will look at the specific file in question and remove the false flag in their next definition update. Some — not all — offer a more formal whitelisting program where a developer with a clean track record can have their code-signing certificate added to a trusted list, after which files signed with that certificate face less scrutiny going forward. Microsoft Defender is on the conservative end here: they do not maintain a public whitelist program and do not auto-trust signed files. Other vendors are more lenient.

I have submitted Medlin software for review myself, more than once, when a false positive was costing me business. It works in the moment. But over time I stopped — the same fight had to be fought every release, with every vendor, and the time was better spent elsewhere. The system rewards the developer who knows how to navigate it, not necessarily the developer whose code is safest. And once a developer’s certificate is deemed trustworthy at one of the more lenient vendors, subsequent files signed with it can sail through with little or no analysis until the certificate expires or is revoked. Combine that with the one-letter-case dodge above and you start to see how much of antivirus is held together with handshakes and shortcuts rather than first-principles inspection of every file.

What you can trust as a relatively reliable signal is code signing. If an app is signed with a real code-signing certificate, the developer has paid considerable money to prove who they are to a certificate authority. Most bad actors do not bother — not because they cannot, but because the cost and the paper trail are not worth it for malware with a short useful life. Signing is not a guarantee. Rare cases exist where a third-party process piggybacks on a signed app, usually on systems already infected and spreading. But for the everyday question of “is this file from who it claims to be from,” signing is a strong hint.

What code signing actually looks like for the average small developer, in case you are curious. You prove who you are to a certificate authority — identity documents, business records, the works. You pay a substantial fee. And you receive a special secured USB dongle that has to be physically connected to the computer when you sign an app installer. Payroll software needs to be able to push updates whenever needed — the days when tax withholding was set in December for the full following year ended in the mid 1990s, if not earlier. Mid-year changes happen, and customers expect the fix to be ready when they do. We have about fifty updates every payroll year.

So when I am away from the office for more than a day, I drag the dongle along and try not to lose it. There is an online key-storage option some developers use, but I have stuck with the dongle — for my situation, I think the physical key is safer than handing the keys to a third party. None of this is news to other developers, but most customers I have talked to over the years had no idea any of this was involved.

Practical tip while we are on signing. Before you open a file, right-click on it and check whether the file is signed and who signed it. On Windows, right-click, properties, then look for the Digital Signatures tab. If it is there and the signature is valid and the signer is the company you expect, that is meaningful. If there is no Digital Signatures tab at all, that does not automatically mean trouble — plenty of legitimate small utilities are unsigned — but it does mean you have less to go on. Combined with where the file came from, it is part of the picture.

Now, why does this happen to small developers in particular? The big antivirus vendors learn from what they see. Programs from Microsoft, Adobe, Intuit — the giants — show up everywhere, all the time, so the detection learns them. A small developer’s program shows up much less often. The same code patterns that are perfectly normal in a small Windows app can look unusual to a system that has mostly trained on huge corporate software. Add in the fact that our program touches the printer, files on disk, and the network — all things malware also touches — and you have the recipe for a false positive.

You can pay your way out of some of this. Code-signing certificates help. Submitting binaries to the major vendors for whitelisting helps. We do these things. They reduce the noise but they do not eliminate it. Every new build is a new file, with a new hash, and the cycle starts over. Some weeks are quiet. Some weeks my inbox lights up because one vendor pushed an aggressive update overnight.

The part that bothers me is not the technical reality — software is hard, detection is hard, I get it. The part that bothers me is the asymmetry. When a giant vendor is falsely flagged, it gets fixed quickly because the giant has a direct line. When a small developer is falsely flagged, the customer is the one who pays. They lose time. They get scared. Sometimes they delete the program and email us in a panic asking how to get their data back. The cost lands on them and on us, never on the security vendor that made the mistake.

And the customer often cannot tell the difference. A real malware warning and a false positive look the same on screen. The customer is not equipped to evaluate which is which — they were never supposed to be. That is the whole point of paying for security software. So when it cries wolf, it does real damage to the trust the customer placed in the warning. After the third false positive, some customers start ignoring warnings altogether, which is exactly the wrong outcome.

Sometimes the failure is not even a warning — it is silence. In recent months this has become the most common version of the problem we see. And the worst case of all: the customer opens our App A and it runs fine. Then they try to open our App B from the same folder and nothing happens at all. No error. No popup. No quarantine notice. Just nothing. The reason is that the security software has quietly removed or blocked App B and decided not to mention it. App C and App D are sitting right there in the same folder, from the same vendor, signed with the same valid code-signing certificate. The security software ignored them — yes, ignored them — and picked App B specifically. There is no consistent logic the customer or I can use to predict it. The customer just knows their software is broken and emails us — if they email us at all.

So what do you do, on the receiving end, when a security program flags software you trust?

First, slow down. The warning is not an emergency. The file is not actively doing anything because it is quarantined. You have time to think.

Second, check the source. Did you download the program from the developer’s actual website? Or from a search-result link, an email attachment, a USB stick from someone? If you got it directly from the developer you trust, the odds of it being a real threat are very low. If you got it some other way, the warning may be telling you something real.

Third, look at what is being flagged and how. The name of the threat is often a generic label like “Heur.Suspicious” or “Trojan.Generic” — that is heuristic-speak for “I am guessing.” A specific named threat is more credible than a generic guess. And if the file is signed by a developer you recognize, that is another point in its favor.

Fourth, contact the developer. Let them know.

Fifth, if you decide it is a false positive, your security software has a way to mark the file as safe — an exception, an exclusion, an allow-list. Use that feature rather than turning the security software off. And report the false positive back to the vendor. Most of them have a one-page form. It takes a few minutes and it helps the next person.

Now the part for the security industry, in case anyone there is reading. The current state of false positives is not acceptable, and pretending it is hurts your credibility more than it hurts ours. Small developers are not your enemy. We are not the people writing ransomware. We are the people writing the niche tools that businesses depend on. When your detection flags us, you are not protecting the user — you are scaring them away from working software they paid for.

Two voices from inside the industry are worth pausing on. Both said the quiet part out loud.

In May 2014, Brian Dye, then senior vice president for information security at Symantec — which owned Norton at the time — told the Wall Street Journal that antivirus “is dead.” He estimated that traditional antivirus caught only about forty-five percent of cyberattacks. He added that Symantec did not think of antivirus as a moneymaker anymore. This was a sitting executive at the largest player in the industry, on the record, in the country’s biggest business newspaper. The product his company sold was catching fewer than half of the threats it claimed to protect against, and he said so out loud. The industry kept selling it anyway. The cycle continues.

The other voice is John McAfee, who founded one of the first commercial antivirus companies in 1987 and later became a vocal critic of the product that still carries his name. In 2013 he made a mocking video about how to uninstall it. In a 2015 Reddit AMA he called it, in saltier language, one of the worst products on the planet. His late life was complicated and I am not holding him up as a moral authority. But on the narrow point that the product carrying his name was not serving its customers, the man who built the original agreed with the executive at the largest competitor.

A reasonable industry would have a clear, free, fast process for any developer to submit a binary and get a real answer about why it tripped the detection. Not a black-box rejection. Not a form that goes nowhere. An actual answer, in a reasonable time, from a human who can fix it. Some vendors do this better than others. Most do it badly. The asymmetry of cost is the reason — the cost of a false positive falls on the developer and the customer, not on the vendor, so the vendor has no real pressure to fix it.

And if you are at a security vendor, please — small developers are part of the ecosystem you say you protect. Treat us that way.

One last thing, in case it sounds like I am against security in general. I am not. There are good security products out there. I just do not see many of them at the consumer level. Here is what forty years in this business has actually shown me.

In all that time, exactly one virus has ever made it onto a Medlin device. One. The story is worth telling because of where it came from, with the disclaimer that this is how I remember it — the events were before my time and the story was handed to me. Family members may read this and correct details, and I will update the post if they do.

As I understand it, Jerry bought a new computer from a local shop — the kind of place that built machines from parts. Their method of getting the operating system onto the new computers turned out to be infected. The box came into the office pre-infected, before anyone had touched it. It was caught because the practice even then was to scan all new devices, which was the standard advice in the late 1980s or early 1990s. That advice still holds today. Scan a new device before you trust it. The threat was not in our email, not on a website we visited, not in software we downloaded. It was sitting in the box on the day it arrived.

I can remember catching infected floppies too. Customers would mail in disks with their data — payroll records, employee files, whatever needed our help — and we scanned every one before opening anything. Now and then the scan caught something. Then came the tricky call: telling the customer their floppy had a virus, that we caught it before it reached us, and that they should check their own systems.

One virus in forty years, caught by basic discipline, on a network running businesses that handle payroll for thousands of small employers. That is the actual track record. Make of it what you will.

For the average computer user, Defender plus safe hex plus a real backup is the complete answer. No subscription required. The backup matters more than ever in the ransomware era — if your files ever do get encrypted by criminals demanding payment, your recovery does not depend on negotiating with them.

One more thing worth mentioning. Use a recent computer, one capable of running Windows 11. Why Windows 11? It is the only version of Windows still in mainstream support. Sure, you can keep using an outdated version. But why would you, given the security gap that widens every month a system stops receiving updates? The data on your computer is important, often vital. It makes sense to budget a hundred to a hundred and fifty dollars a year toward replacing the box every five years or so. The old computer can sit in a closet, tucked away safely, ready to spin up if you ever need it.

Beyond Defender, Windows has a pile of free built-in controls that most people don't know about. You can restrict who is allowed to install software. You can restrict which folders programs are allowed to run from. You can require administrator approval for changes to the system. None of this costs anything. All of it is sitting there waiting to be turned on. It is worth a look, especially on a machine that runs a business.

If you are not sure where to start, this is exactly the kind of question AI is good at. Ask something like: “What are easy steps I can take to make my Windows PC safer, for free, using the tools that are already built in?” You will get a useful answer back, with steps you can follow at your own pace.

One more piece — this is where prosumer territory begins. Backups protect your data — if something goes wrong, you can rebuild from your last good copy. But backups do not watch the doorways. They do not see what is coming in or going out, who is allowed to talk to whom, what is being sent where. That monitoring and control piece is the missing layer in most home and small-office setups. The cheap consumer security products gesture at it but do not do it well.

The next step up, if you want it, is a prosumer-level firewall box. Models start under two hundred dollars and the mid-range options sit around five hundred or below, which is plenty for most homes and small offices. Higher-tier models exist for larger networks. Whichever model fits your situation, it is an independent device that sits between your modem and your computers and does the work that consumer security software pretends to do. It is not for everyone, but it is what I run to keep my own livelihood safe — and to make sure we remain here for you without interruption.

What does monitoring ins and outs actually buy you? Two things. First, when something does get past your other defenses and starts trying to phone home — sending your data out to somewhere it should not — the firewall sees it. Endpoint antivirus is too late at that point. The bad code is already running. The firewall is the layer that watches the door from the outside and asks where the traffic thinks it is going. Second, a good prosumer firewall comes with a threat-intelligence feed from the manufacturer. Known bad IP addresses, known malicious domains, known command-and-control servers — these are blocked automatically, often before you even know the threat exists. The provider has already protected you, and in some cases warned you about what they blocked.

Up to now I have avoided naming which firewall I run. Time to stop. I use Firewalla. It is its own dedicated hardware — its own operating system, its own memory — sitting on the network between your modem and your computers. None of what it does eats your computer’s clock cycles or memory the way endpoint security software does. Your computer keeps running at full speed; the firewall does its job in parallel. That alone is a meaningful difference from what most consumer security suites do to a Windows machine.

It walks you through setup. After that, it updates itself in the background for the most part — set and forget if that is what you want, or drill down and configure every last detail if you do not. I do both. There are several models at different price points. No monthly fee for the basic protection, which I appreciate. To be plain: I am a Firewalla customer, not a commissioned anything. I pay them, they ship me the product, that is the whole arrangement. No affiliate links, no kickbacks, no free hardware. They probably do not know I exist. If a few of you look into them after reading this, that is a small contribution to the betterment of all.

A small example to make this concrete. Firewalla lets me run separate work and home networks on the same device, easily and securely. I have no business reason to access certain countries — incoming or outgoing — so I told my firewall to block them. This was a global rule, applied across both networks. Worked great. A few days later my patient wife of forty years this fall mentioned that her favorite phone game had stopped working. It is one of those free games you keep playing by watching ads. Turns out one of the ad servers serving the game was located in one of the countries I had blocked. So I had broken her game. I had become, in that moment, exactly the AV company I have been writing about for this whole post — an automated rule blocking something legitimate without enough nuance, with somebody downstream paying the price. The customer service feedback, in this case, was delivered in person, immediately, and did not require a support ticket.

The fix was, and remains, a single permission allowing her phone to reach that one IP address in that country for those ads. Surgical exception, not a wholesale removal of the country block. That is the kind of control a good prosumer firewall lets you have. The cheap consumer products do not. If you want to talk through whether something like Firewalla is the right fit for your situation, ask. I am happy to share what I have learned setting one up.

See also: Keep Your Software Current, Help Me Help You, and Do You Really Have a Backup?