Reporting False-Positives Is Not Enough

[zandra_s]

I have been trying to help out with reporting false positives. However, after seeing that half of the companies either do not provide a clear way to report these issues or they do not respond at all.

VirusTotal and their contributing AV vendors simply do not care about small developers or open-source projects because ignoring issues is cheaper than resolving them since there is no harm to the VirusTotal and AV companies anyway.

While I understand their business perspective, I still believe that this behavior is deeply unethical. When a company has a public presence like this, they should provide an easy way to resolve false positive reports because these things can cause harm to small development teams and open-source projects, and this is unfair to them.

I suggest start thinking of ways to get the attention of VirusTotal and AV vendors.

One of the ideas I got was to write reviews on Trustpilot, so that they have more incentive to react to false positive report, since having a bad score on Trustpilot would do the exact thing what they do to different development projects and make their potential customers trust them less.

Note that I am not proposing to spam Trustpilot with 1-star reviews. I believe that the reviews should be fair and consider these factors (at least these are the ones that come to mind):
- Do they provide a way to report false positives.
- How hard it is to report false positives.
- How transparent their process is about the status of the report.
- How long does it take to resolve the issue.
- Is this documented somewhere clearly on their website.

What do you think?

[boiler]

I agree with your premise, and I would say that not only do they not care about reporting false positives because it does them no harm, they actually are incentivized to report “viruses” whether they exist or not so they can justify their existence by making it look like they are doing something for their customers. My approach has been to not bother reporting false positives but rather to inform users of the lazy approach these companies have towards newly released and relatively unknown software. The main reason it’s being reported is it’s not in their database, not because they (or anyone else) found something malicious in the code. I’m all for your attempt to damage the reputation of these companies since it is deserved.

My approach has been to not play into their game and report false positives with each new release of an app and just inform/educate the user base. I suppose this is a more public way of doing the same thing. I personally would rather not put the effort into fighting them and just ignore them, but I wish good luck to you and anyone who joins you.

[asheroto]

I have found that consistently following up with AV vendors will generally evoke a response from them. I had another software that kept showing up as false positives and I followed up with them once a week for two months. I then contacted VirusTotal and told them I think their company is out of business and VT may want to remove them. A day or two later the AV company replied.

[SOTE]

I think embarrassing and requesting non-responsive vendors to be removed from VirusTotal (https://www.virustotal.com/gui/contact-us), is probably one of the best directions to go. However, I strongly believe that the vendor should first be informed of the false positive situation. And if they fail to respond or act, after repeated contact, then bring the situation to VirusTotal. Removal of non-responsive vendors from VirusTotal is a benefit to the public.

[zandra_s]

I think that just reporting false positives and bringing issues up with VirusTotal is not enough. This happens silently and nobody is aware of the challenges a typical project might have dealing with false positives. If the process of reporting and resolving issues is hard and takes a long time, small projects get harmed because the the wrong information is published to everyone. Therefore, I propose doing the same. Go public and write a review with reasonable rating and feedback. If the process of dealing with false positives is horrible, they might get 1-2 stars, if the process is clear but it takes a long time, they might get 3 stars and so on.

This way would be fair and bad behaving companies would end up having a poor rating. This would at least give a bit more incentive to make improvements since the company reputation would suffer in the eyes of the public.