Report False-Positives To Anti-Virus Companies

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :| :mrgreen: :geek: :ugeek: :arrow: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbup: :thumbdown: :salute: :wave: :wtf: :yawn: :facepalm: :bravo: :dance: :beard: :morebeard: :xmas: :HeHe: :trollface: :cookie: :rainbow: :monkeysee: :monkeysay: :happybday: :headwall: :offtopic: :superhappy: :terms: :beer:
View more smilies

BBCode is ON
[img] is OFF
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Report False-Positives To Anti-Virus Companies

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 19 Mar 2024, 09:15

slishnevsky wrote: ↑
19 Mar 2024, 07:07
  1. How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
  2. Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
    I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?
Obviously, most people won't be able to determine if smth is definitely a false positive, but they have might a (strong) suspicion. That's why we recommend to send the file in question to your antivirus vendor, if in doubt - they should have the expertise to determine if the file is actually malicious or a false positive. In addition, you'll give them the opportunity to fine-tune their products, although I wouldn't put too much hope into long-term improvements.

Apart from the legal questions that the use of "cracked" files raises, of course they can be infected with malicious code. Antivirus software uses a lot of heuristics to identify all variants of a virus (some viruses even change their own code to not get identified). This means, they depend on identifying certain similarities, patterns and behaviours, in order to even identify yet unknown variants of a virus. Of course, there are usually business secrets involved - that's why those AV vendors won't tell you exactly for which details they are looking. But a local scan should be fast (hence simplified and prone to produce false-positives) - if you send them the files, they can have a closer look.

For AHK specifically, probably one of the main problems is that in every compiled program, there is the whole (powerful) AHK interpreter included. This means, even if your script doesn't use keyboard hooks, the AV scan will still notice the ability - and perhaps a certain similarity to a virus which some knucklehead has created with AHK, because the whole interpreter is exactly the same in the virus and your own app (at least if they used the same AHK version - but of course, different AHK versions still have strong similarities).

Re: Report False-Positives To Anti-Virus Companies

Post by slishnevsky » 19 Mar 2024, 07:07

Two questions:

  1. How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
  2. Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
    I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?

Re: Report False-Positives To Anti-Virus Companies

Post by submeg » 19 Jan 2024, 16:05

Just ran into my first issue, which I'm assuming is AV related.
  • AHK installed for months
  • Left PC on, AV did a "background" scan"
  • Tried to run SciTE, error saying it can't run the toolbar.ahk
  • Find AHK > SciTE > InternalAHK.exe has been deleted.
  • TURN OFF AV (Windows Defender already off)
  • Delete all AHK
  • Try to install AHK
  • AutoHotkeyU32.exe and AutoHotkeyU64.exe missing
What is going on here?! I am more than annoyed at this. I have reported the false positives, but I'm unsure why, even with the AV off, I can't copy the EXEs back?

Re: Report False-Positives To Anti-Virus Companies

Post by zandra_s » 19 Jan 2024, 11:25

Status update for version 2.0.11.

These vendors have cleared the flags:
Bkav Pro
Fortinet
Gridinsoft (no cloud)

Webroot has replied but refused to clear the flag. I asked for the reason and got a super vague reply about them having seen AutoHotkey being used maliciously. I have exchanged a couple of messages with them and tried to get a better explanation and the extent of the analysis. I pushed them to evaluate the safety of AutoHotkey in a scenario where the user knows what she's doing and writes her own scripts. I explained the possibility of AutoHotkey getting flagged only because it sometimes gets delivered as a malicious compiled script. Blindly analyzing these patterns an AV engine might flag the AutoHotkey part as harmful. They haven't responded for a while now. Based on the little information they have provided, I don't think they have done anything beyond a shallow look at a couple of patterns.

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 16 Jan 2024, 06:22

Another good way to get the attention or punish non-responsive vendors is to apply pressure by e-mailing/contacting VirusTotal, and seeking to get them removed. Removing non-responsive or bad vendors from VirusTotal is helping the public in general.

My site/file has been improperly flagged as harmful (false positive)

Re: Report False-Positives To Anti-Virus Companies

Post by zandra_s » 04 Jan 2024, 14:28

Version 2.0.11 got released and currently it is flagged by 8 vendors:

Antiy-AVL
Bkav Pro
Fortinet
Gridinsoft (no cloud)
Rising
SecureAge
SentinelOne (Static ML)
Webroot

Today I contacted each company to report the file as a false positive for investigation.

Re: Report False-Positives To Anti-Virus Companies

Post by asheroto » 18 Dec 2023, 14:53

I noticed this as an issue as well with AV vendors. I have found that if you continue to email them weekly they will eventually fix the false positive. But not sure if all AV vendors will want to do this mainly because of the UI Access which could theoretically be used for bad. Process Hacker, for example, is one that many AV vendors still flag and refuse to make an exception for because it could be used for nefarious purposes.

Today I reached out to the companies listed in the table below to report AutoHotkey as a false positive.

Filename Number of Detections Detected By
AutoHotkey Setup 5 Alibaba, Rising, SentinelOne, Trapmine, Webroot
AutoHotkey64_UIA.exe 3 Alibaba, Bkav, Jiangmin
AutoHotkey32_UIA.exe 3 Alibaba, DeepInstinct, Rising
AutoHotkey64.exe 3 Alibaba, Bkav, Jiangmin
AutoHotkey32.exe 3 Alibaba, Rising, Trapmine


Fortunately I am a Webroot partner and am able to contact their support more directly. If they do not remove it through the traditional route, I will reach out to my contacts and see what they say.

If an admin/moderator would like to reach out to me in a PM I will send you a script I wrote that will automatically check the number of detections for each EXE and generate the table above, as well as generating the email addresses and URLs for false positive detection reporting. 😊

I 🧑 AutoHotkey

(I am not affiliated with AutoHotkey)

Re: Report False-Positives To Anti-Virus Companies

Post by zandra_s » 16 Nov 2023, 09:20

Around two months ago, I started trying to report false positives. 11 vendors have flagged version 2.0.10.

After a while, these vendors have cleared the malicious flag:
- McAfee-GW-Edition
- Cynet
- SecureAge
- Bkav Pro
- Fortinet
- CrowdStrike Falcon

These vendors seemingly ignore the requests even after contacting them more than once.
- Antiy-AVL
- Rising
- SentinelOne (Static ML)
- Trapmine
- Webroot

I have started submitting reviews on Trustpilot and letting those companies know about it to see if they respond. See the post I have written here:
Reporting False-Positives Is Not Enough

If you can, please join me and let those AV vendors have a public record of ignoring issues like these.

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 25 Aug 2023, 13:03

ItisI wrote: ↑
06 Jul 2023, 02:58
Sort of success :/
SentinalOne already confirmed. I will keep you updated.

1. Antiy-AVL - Antiy Labs - AVL SDK
eMails don't exist anymore :D
Thanks for the update and submissions to the companies. Have made the correction on the first page.

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 06 Jul 2023, 02:58

Sort of success :/
Sending the double zipped password protected file worked. SentinalOne already confirmed. I will keep you updated.

1. Antiy-AVL - Antiy Labs - AVL SDK
eMails don't exist anymore :D
2. Bkav
3. SentinelOne (Static ML)
Reply
Thank you for your feedback.
Our DFI engine is one of many detection layers embedded on our agent, alongside with our state of the art behavioral analysis, reputation engines and sanity layer that ensures accuracy on our deployed agents.
We are constantly tuning our DFI for maximal coverage and minimum false positives. We expect to keep doing it over time as more files are seen in the wild.
We will review your input and make necessary actions as required, please make sure you have submitted the relevant information on the sample in question, and contact details - in case further clarifications are required.
There is no need to contact us for follow up - this report is being processed. We will only contact submitters in rare cases.
To read more about our full solution and see product demos, visit www.sentinelone.com.
Thank you,
SentinelOne Research Group

4. Trapmine

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 06 Jul 2023, 02:41

:)
Possible progress in sight. Remembered an old trick:

1. Zipped the "AutoHotkey_2.0.3_setup.exe" (password protected)
2. Zipped the the zipped file again (password protected)
3. Send the doubly zipped ((password protected)) file to the vendor (password included) and gMail didn't shout at me.

Will now repeat the exercise with those vendors I can reach by email (and report back)

:D

PS Just found this warning in the sent email:

"Encrypted attachment warning – Be careful with this attachment. This message contains 1 encrypted attachment that can't be scanned for malicious content. Avoid downloading it unless you know the sender and are confident that this email is legitimate."

Well, we'll see ...

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 04:51

This is a project and probably useless. All my emails are gmails - sending the files will never work.

I'll think about it a bit more, maybe I'll come up with something.

-----

What I would like to suggest in the meantime:

short article about the situation
referring to the existing article (viewtopic.php?f=17&t=62266), but without this long list. The article should be locked, so that new additions flow into the article only via the author (you?).

publishing the hashes directly with the download links

Code: Select all

ahkv99.exe
ahkv99.exe.sha256
How to articles on checking hashes
Of course, not everybody is comfortable with checking hashes. Help them and provide the needed info.

A PGP signature would be nice!
If you can bring yourself to issue a PGP signature, you will need to include a "How To Verify a PGP Signature" article.

Since you yourself are the subject of false accusations, you need to help users to overcome any doubts they may have.

O well, just my 2 pence...

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 05 Jul 2023, 03:33

Well, VT has its own Contributors page, mentioned above in a quote. There is eg Cynet and Fortinet in it - haven't checked the others. Of course, there are only links to the homepages and you might have to locate the correct contact/support page or email address yourself.

Generally, I would rather focus on the big industry names and wouldn't care much about some dubious vendors I have never heard about. But then again, if gmail uses VT, what are we going to do? And after the next AHK update, you can perhaps start again with the whole ordeal. πŸ€·β€β™‚οΈI am afraid, it could be a neverending story.

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 03:15

virus - false positives - AHK
Reporting false detection to antivirus providers
Spent the last 90 minutes trying to contact the vendors on the VirusTotal page that reported malware and also found on your list (announcement). The results are discouraging as I achieved virtually nothing. So sorry, but at least I tried. Open to any suggestions...

==================================
Google refuses upload ("Blocked for security reasons"):
Contacting by email seems futile :/
==================================
Antiy-AVL - Antiy Labs - AVL SDK
Bkav
SentinelOne (Static ML)
Trapmine
==================================
Different reasons
==================================
Rising
"The connection to mailcenter.rising.com.cn is not secure"
Not going to use a "not-secure" connection.
----------------------------------
SecureAge
refuses upload/cannot connect
What do you say to that???
==================================
not on the list
==================================
Cynet
Fortinet
Gridinsoft
Trellix
Webroot

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 05 Jul 2023, 02:25

I'm already on it.
Cool, thank you! :thumbup:
btw, it looks like the mentioned german AV vendor is no longer active. ;)

Here's the first set-back: gMail won't let me upload the "infected" file...
Probably they are using VirusTotal :eh: - after all, both services are owned by Google. This shows the problems we are facing.
Doesn't the AV company have a website form which you could use instead?

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 02:21

Here's the first set-back: gMail won't let me upload the "infected" file...

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 02:11

I'm already on it. Working down the list, and if I detect a German company, I'll use my German aswell. Will report back on the issue.

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 05 Jul 2023, 01:59

ItisI wrote: ↑
05 Jul 2023, 01:45
Let me see if I understand you correctly: I contact Virustotal, tell them neither Jotti nor my local antimalware program have found any issue, and would they please recheck? Or do I contact each and every viruschecker individually?
I doubt that Virustotal cares - they only report what they get. Generally, I would contact the individual companies. The first post of this topic can give you some hints and directions.

VT itself says this:
https://support.virustotal.com/hc/en-us/articles/115002121185-I-am-experiencing-a-false-positive-my-file-or-site-should-not-be-detected- wrote:VirusTotal is detecting a legitimate software I have developed, what can I do?
VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.

Please find the company on our contributors page and reach out to them.
and
https://support.virustotal.com/hc/en-us/articles/115002121185-I-am-experiencing-a-false-positive-my-file-or-site-should-not-be-detected- wrote:VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own. As such, if you are experiencing a false positive issue, you should notify the problem to the company producing the erroneous detection, they are the only ones that can fix the issue. Please note that even if we were able to remove the flag, the users of such product would still be blocked from accessing your site.
(red text color added by myself)

If you are contacting some smaller companies, though, chances are that they will never respond.
From personal experience I can tell you, that some AV companies are really bad. I once tried to report a false-positive to a rather small german AV vendor which never responded to requests in English. That's why I used German, multiple times. Even then, I never got meaningful feedback. After all, those companies make money by "finding" threats, not by saying "oh sorry, we were wrong".

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 01:45

That's the point. If it's a false positive, only the false-positive-issuing company can correct their assessment. If they never get asked, they might never check again. The point of reporting false-positives is to ask those companies to re-evaluate their results (and to correct them) - no one else can check their results, because they won't tell us their business secrets. Some of those companies will give you feedback about your request.
Let me see if I understand you correctly: I contact Virustotal, tell them neither Jotti nor my local antimalware program have found any issue, and would they please recheck? Or do I contact each and every viruschecker individually?
There are SHA256 hashes, for example you can look at our github release channel or the individual version announcements (which also contain hashes for the zip-versions): viewforum.php?f=24
Yes, there are. Checked my downloads - happy to report, they checked out!

Thanks for your time.

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 05 Jul 2023, 01:29

ItisI wrote: ↑
05 Jul 2023, 01:14
But I do not have the qualifications to determine if these are false positives. I can't report to anyone, "These are false positives". That can only be done by someone who has the expertise and has done the necessary testing and investigation.
That's the point. If it's a false positive, only the false-positive-issuing company can correct their assessment. If they never get asked, they might never check again (some bad ones might ignore you anyway). The point of reporting false-positives is to ask those companies to re-evaluate their results (and to correct them, if they were wrong) - no one else can check their (often purely "heuristic") results, because they won't tell us their business secrets. Some of those companies will give you feedback about your request... and even correct their initial results.
I am a simple end user.
We are all volunteers here, members of the same community. Currently, except lexikos and a few minor contributors to the open source code (which you could inspect, if you like, or compile yourself), we are all just simple end users of AHK. If you want something done (like a smaller amount of false positives), why not contribute yourself by trying to improve the virustotal ratings?
Why are there no pgp signatures for the software, so that we can at least be sure that we are getting what you are offering? Or "hashes" (md5, sh???).
There are SHA256 hashes, for example you can look at our github release channel or the individual version announcements (which also contain hashes for the zip-versions): viewforum.php?f=24

Top