Report False-Positives To Anti-Virus Companies

Talk about anything
SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Report False-Positives To Anti-Virus Companies

23 Feb 2019, 05:47

This is an ongoing issue that more exotic or less mainstream scripting languages have to face, where they can be targeted by poor practices within Anti-Virus companies or where proper research isn't being done. This includes:

. Wholesale importing hash and database signatures from online sources, without doing proper analysis or verification
. Falsely identifying clean or non-dangerous files as malware to artificially boost Anti-Virus sales or give unsuspecting customers false confidence
. False identification does a disservice to the entire Anti-Virus industry, and can arguably be a form of fraud or a bad business practice
. False-positives decreases customer confidence in the quality of the product and validity of scan results

To combat this situation, here are a list of Anti-Virus online false-positive submission sites (and some e-mail addresses). Google's VirusTotal list uses these major players. The advantage is that if an .exe is falsely identified, we can rapidly submit to many major Anti-Virus companies to have it properly tested and cleared.

. Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.

. Comodo Online Submission for False-Positives: https://www.comodo.com/home/internet-security/submit.php

. Avast Online Submission for False-Positives: https://www.avast.com/en-us/false-positive-file-form.php

. Avira Online Submission for False-Positives: https://analysis.avira.com/en/submit

. Bitdefender Online Submission for False-Positives: https://www.bitdefender.com/submit/

. AVG Online Submission for False-Positives: https://www.avg.com/en-us/false-positive-file-form

. Trend Micro Online Submission for False-Positives: https://www.trendmicro.com/en_ph/about/legal/detection-reevaluation.html

. Spybot Search & Destroy Online Submission for False-Positives: https://www.safer-networking.org/support/

. G DATA or G-Data Online Submission for False-Positives: https://su.gdatasoftware.com/us/sample-submission/

. VIPRE or ThreatTrack Online Submission for False-Positives: https://www.vipre.com/support/submit-false-positive/

. SecureAge APEX or SecureAPlus Online Submission for False-Positives: https://www.secureaplus.com/features/antivirus/report-false-positive/

. ClamAV and Immunet Online Submission for False-Positives: http://www.immunet.com/false_positive
Note- These products are tied to Cisco, so their impact should not be underestimated.

. Norton or Symantec or Blue Coat Online Submission: https://submit.symantec.com/false_positive/
Note- You must fill out their form, which has multiple questions before the submission step

. Aegislab Online Submission for False-Positives: https://aegislab.com/Support/
Note- Taiwan based company on Google's VirusTotal list, where you might have to add an exception (at least temporarily) for their SSL certificate

. K7 or K7AntiVirus Online Submission for False-Positives: https://support.k7computing.com/index.php?/ticket/submit-ticket
Note- Choose False Positive under "Category". And it's best to put "False Positive: file being detected by K7" for "Subject"

. eGambit Online Submission for False-Positives: https://tehtris.com/egambit_fp.php
Note- They may ask for more details or follow-up questions.

. Rising Anti-virus Online Submission for False-Positives: http://mailcenter.rising.com.cn/filecheck_en/
Note- Chinese company. English supported limited.

. Qihoo or 360 Safeguard Online Submission for False-Positives: http://www.360totalsecurity.com/en/suspicion/false-positive/
Note- Chinese company; on VirusTotal. English support. Also known for controversies over certification and it's detection engine.

. Sophos Online Submission: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx
Note- With Sophos, you have to specifically clarify that you are reporting a false-positive.

Code: Select all

"Why do you want to send this sample?" section.
This file, thefile.exe, has been falsely detected as malware by Sophos.  I want thefile.exe removed from your list.
. F-Secure Online Submission for False-Positives: https://www.f-secure.com/en/web/labs_global/submit-a-sample
Note- With F-Secure you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I want to give more details about this sample and to be notified of the analysis results" click check box
This file, thefile.exe, has been falsely detected as malware by F-Secure.  I want thefile.exe removed from your list.
. F-Prot or Cyren Online Submission for False-Positives: https://kb.cyren.com/av-support/?/Tickets/Submit/RenderForm/7
Note- With F-Prot or Cyren you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I think is falsely classified as malware" Misclassification Reason*
This file, thefile.exe, has been falsely detected as malware by F-Prot or Cyren.  I want thefile.exe removed from your list.
. Nano Online Submission: https://www.nanoav.pro/index.php?option=com_content&view=article&id=15&Itemid=83&lang=en
Note- Russian based company with English support. Need to specifically clarify that you are reporting a false-positive.

Code: Select all

"False Detection under" Theme*
. Endgame Online Customer Support Form: https://www.endgame.com/company/customer-support
Note- Online customer support form with no attachment, have to send complaint first, then respond to email they send.

Code: Select all

Select- "VirusTotal Feedback" for Type*
. Zoner AntiVirus Online Contact Form: http://www.zonerantivirus.com/kontaktni-formular-zakaznicke-podpory
Note- Czech based company with English support.
Online customer support form with no attachment, have to send complaint first, then respond to email they send.

. Kaspersky E-mail Submission for False-Positives: [email protected] and [email protected]
Note- Russian company. Responsiveness to reporting false positives a known issue. Probably best to e-mail both addresses. Suggested format to submit below:

Code: Select all

To: [email protected]
cc: [email protected]
Subject: False Positive: file being detected by Kaspersky
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. Panda E-mail Submission for False-Positives: [email protected] and [email protected]
Note- Probably best to e-mail both addresses. Suggested format to submit below:

Code: Select all

To: [email protected]
cc: [email protected]
Subject: False Positive: file being detected by Panda
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. Emsisoft or EMSI E-mail Submission for False-Positives: [email protected]
Note- Should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by Emsisoft
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. ESET E-mail Submission for False-Positives: [email protected]
Note- Should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by ESET
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. McAfee E-mail Submission for False-Positives: [email protected]
Note- Needs to be submitted in the below format.

Code: Select all

To: [email protected]
Subject: FALSE: file being detected by McAfee.
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: McAfee Security Center 16.0 (Example- put in correct info)
    Engine: 3181.0 (Example- put in correct info)
    Description of issue: This file has been detected as malware
. ADMINUSLabs E-mail Submission for False-Positives: [email protected]
Note- If you have complaints or comments, can use https://www.adminuslabs.net/Contact.html
E-mail with attachment should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by ADMINUSLabs
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Acronis scanner E-mail Submission for False-Positives: [email protected]
E-mail with attachment should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by Acronis scanner
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Palo Alto or LightCyber E-mail Submission for False-Positives: [email protected]
Note- LightCyber is a malware detection engine used by Palo Alto. This company is a VirusTotal contributor
E-mail with attachment should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by Palo Alto product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Ikarus E-mail Submission for False-Positives: [email protected]
E-mail with attachment should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by Ikarus product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Vba32 or VirusBlokAda E-mail Submission for False-Positives: [email protected]
E-mail with attachment should be submitted in the below format

Code: Select all

To: [email protected]
Subject: False Positive: file being detected by VirusBlokAda product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Trapmine E-mail Submission for False-Positives: [email protected] and [email protected]
E-mail with attachment should be submitted in the below format

Code: Select all

To: [email protected]
cc: [email protected]
Subject: False Positive: file being detected by a Trapmine product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. StopBadware Request A Review: https://www.stopbadware.org/clearinghouse/search
Note- This organization is related to Google, VirusTotal, and Mozilla's Firefox. Their opinions or decisions can have a major impact.

. Check Point or Zone Alarm Online trouble ticket or chat: https://www.checkpoint.com/support-services/contact-support/
Note- This is a problematic system, where people are forced to sign-up, then you have to open a ticket or do a chat.
Otherwise, you can call them by phone, but obviously you won't be able to send attachments that way.

. Malwarebytes Online Forum Review: https://forums.malwarebytes.com/forum/122-false-positives/
Note- This is a problematic system, where people are forced to sign-up, before making a report about their product. However, their product is famous.
Last edited by SOTE on 19 Sep 2019, 16:35, edited 13 times in total.
SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 10:12

That list is old and not updated (not since 2016), so various links on it don't work. It's arguably better for the community to have an updated list. The old list doesn't quite match the major players that Google uses on VirusTotal and who are the top Anti-Virus companies now, so they can be missing some (likely newer companies, newer international companies, or those that became more popular recently) that would be used.

Where possible, I also try to make online submission the priority, to help speed up the multiple submit process.
guest3456
Posts: 2556
Joined: 09 Oct 2013, 10:31

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 14:27

SOTE wrote:
24 Feb 2019, 10:12
That list is old and not updated (not since 2016), so various links on it don't work.
what links don't work? yes it says 2016 but i've been using that list for years any time my exe gets flagged by virustotal, and the links have always worked. i'm sure its been updated since 2016 and they just didn't update the date.

SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 14:52

guest3456 wrote:
24 Feb 2019, 14:27
SOTE wrote:
24 Feb 2019, 10:12
That list is old and not updated (not since 2016), so various links on it don't work.
what links don't work? yes it says 2016 but i've been using that list for years any time my exe gets flagged by virustotal, and the links have always worked. i'm sure its been updated since 2016 and they just didn't update the date.
I'm not quite understanding your purpose. I hope it's not simply to promote that website. I responded to you accurately, and the list here, is for the benefit of the AHK community. Why you are trying to battle for or push for an outdated list from another website is perplexing.

1) That old list contains incorrect links, versus the list that I posted has updated links, e-mails, and information.

If you review all the links, then that will become very clear. Not to mention the web page makes it clear that it's old.
Last updated by site.editor on 15. September 2016 - 05:50

Recent Changelog:

11/22/2014-Added XVirus to the list

11/24/2014-Removed online submission link for submitting false positives to Digital Defender as it was no longer working

11/30/2015-Added English submission links for Qihoo
2) The list I gave has some different Anti-Virus vendors on it and more strongly aligns to key players from Google's VirusTotal website.

Google and VirusTotal has a massive influence on public perception, arguably much more than an old article buried on somebody else's website. If they were updating it and it didn't have a lot of old or broken links, then I would have no problem recommending it and would not have created a new one. However, many can understand that the AHK community should have it's own list, tailored to it's situation.

3) A list here (for the AHK community) can keep track of the top Anti-Virus vendors (which changes), and any specific ones that need special attention.
guest3456
Posts: 2556
Joined: 09 Oct 2013, 10:31

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 18:57

lol. i simply posted a link that has worked for me that has way more vendors than you listed. and no links have ever failed. i asked you to post an example link that doesn't work, and you ignore it. i know for a fact that its been updated more recently than it says, because i see new vendors on there that i haven't seen before.

i'm trying to help you. but feel free to waste your time maintaining your own list then. seems like thats what you want to do.

SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 21:22

what links don't work? yes it says 2016 but i've been using that list for years any time my exe gets flagged by virustotal, and the links have always worked.

and no links have ever failed...
The statements about the links are obviously false or gravely mistaken. I have easily proven them to be, with a short list below. I could have went on and on with broken or incorrect links from the other website, but I'm not going to waste more time than necessary with obviously incorrect or mistaken statements. Why you have come to this post to do that is perplexing and a disservice to the AHK community. You say that you are trying to be helpful, but such actions are not. I hope you are just misguided and don't realize how mistaken that you are on this particular issue. You are a long time member, so hopefully you will look at this differently at some point or allow others to view an updated list.

1) The following links are broken!

F-secure - they give the wrong false-positive submission link

Avast - their false-positive submission link is broken

ClamAV - their false-positive link goes nowhere

Immunet - their false-positive submission link is wrong

Aegislab - they don't have the correct false-positive submission link

K7 - does not have their false-positive submission link

Sophos - they do not give the correct false-positive submission link

I could go on and on, but it's very obvious what's going on...

2) Why purposely ignore the update times on the web page?

Why would anybody update a list, yet not take the 3 seconds to update the Recent Changelog.

3) The list here reflects key players on Google and VirusTotal, and focuses on false-positives, while the other old list does not.

There are some different vendors between the lists, and they have a bunch not used by VirusTotal. Thus their list (for now and because it's not updated) is not as relevant for helping the AHK community combat false-positives. We should not want people submitting to vendors that will not help stop the false-positive problem, not help how VirusTotal scores them, won't change the public perception about their software, have little influence on the market, or is a vendor with a low number of users.
User avatar
nnnik
Posts: 4244
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Report False-Positives To Anti-Virus Companies

25 Feb 2019, 07:20

Why would anybody update a list, yet not take the 3 seconds to update the Recent Changelog.
I do that.
Recommends AHK Studio
User avatar
tank
Posts: 2748
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Irving TX
Contact:

Re: Report False-Positives To Anti-Virus Companies

25 Feb 2019, 09:33

Thank you SOTE and guest3456. both sources could provide valuable information, but i agree a verified maintained list on our boards is extremely valuable. I hope you both can come together in this effort instead of trying to "win"
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Thanks Tank :thumbup:
User avatar
Tigerlily
Posts: 283
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

26 Feb 2019, 04:50

Thank you all for posting this valuable resource, thank you all for donating your time for good causes - this is a big issue, especially for businesses and end users of AutoHotkey-made software/applications. It provides a misleading barrier regarding the adoption of AutoHotkey in various important settings. I have already submitted once to MSDN, but haven't ran into an issue at my place of work since then - unfortunately, with new creations being made and implemented, I know that this will continue to be an issue that hurts this spectacular scripting language. I agree with SOTE that a massive effort from the community to de-stygmative AutoHotkey executibles by sending a multitude of false-positive alerts to the AV companies that are disservicing and misrepresenting AutoHotkey is a good idea.

AutoHotkey being automatically flagged as malware could also be stopped by "de-bunking" the notion that AHK exe's are inherently malicious. Building trust and reputation via the AV companies and Google makes sense from this perspective, because by building trust at the corporate level is important, but also, from another viewpoint: "safe" PR around AutoHotkey must also find it's way around the net and into Google's eyes for them to start saying "Hey, this site, the community, and the language is reputable, important, and not a risk to those searching for content around the web." Those who have content out there on AutoHotkey, like websites that receive traffic, should consider creating content with this in mind. I beleive it's an important part of this annoying puzzle. I hope to publish some content re: this when I have the capacity.

I will go ahead and send in some safe AHK.exe's I have written into all these verified AV companies to help catalyze this process. It may take me some time to get around to all of them, but I'll make some time for it.
-TL
SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

26 Feb 2019, 05:15

Thanks tank and Tigerlily.

And tank, I agree. The "win" should be for the AHK community. I hope guest3456 and I can find common ground and things to agree on.

nnnik, LOL! I understand being in a hurry, but a few extra seconds though...
gwarble
Posts: 376
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 08:25

Thanks for making this list, by far the most feedback I get from users is about false positives, which have only gotten more preventative over the last few years. I will be referring them to this list.

Has anyone determined if signing the executable has an impact on the false positives generated? I usually get between 2 and 8 false positives on VirusTotal with compiled scripts depending on the ahk version and/or what the script actually does, and would be interested to see if a code signing certificate would help these prevent any/all false positives.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
User avatar
tank
Posts: 2748
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Irving TX
Contact:

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 09:35

gwarble wrote:
12 Mar 2019, 08:25
code signing certificate
The entire perhaps only purpose of code signing is to ensure you are receiving unmodified code from the release. Virus companies care about known patterns in the code not certificates
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Thanks Tank :thumbup:
gwarble
Posts: 376
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 11:52

Are you sure?

Because antivirus company's main goal is to make money not find known patterns, so they would have an incentive to not flag legitimate software and drive away customers.

This is only speculation, but i hope to some day test it specifically.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 15:49

gwarble wrote:
12 Mar 2019, 11:52
Are you sure?

Because antivirus company's main goal is to make money not find known patterns, so they would have an incentive to not flag legitimate software and drive away customers.

This is only speculation, but i hope to some day test it specifically.
My understanding of it, is that a code signing certificate and digital certificate helps with the UAC, not necessarily whether or not an Anti-Virus company will flag it as malware. Without it, the UAC will give the unknown publisher alert, but the Anti-Virus software is not directly tied to UAC alerts.

Since the user has to manually decide if they will proceed with the installation, after the UAC alert, then it's arguably on them. This trust from the user, also has other factors involved. For instance the reputation or trust in the website they are downloading it from or if the company/author of the software is known, not just if the software has a certificate.

Though if your executable has no product name nor file description, it's more likely to be flagged as malware. The UAC alert is not based on what you put for product name and description, but rather if you have a certificate, so these are not related.

Various websites that specialize in software can have their own testing programs, such as Softpedia. They can review and certify that your software is safe. It's not clear to what extent this has pull among the top Anti-Virus vendors, and avoids the software being flagged as malware in the future, but it's likely the website distributing your software will inform you of any problems at the time of their certifying process. But the flip side of this for a software developer is getting bad or lower than expected reviews/ratings from users (or even sly competitors) on that website, to include staff of the website reviewing the software, or their software being lumped in with their competitors versus being displayed solely on your own website without any competition or comparison.
User avatar
tank
Posts: 2748
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Irving TX
Contact:

Re: Report False-Positives To Anti-Virus Companies

13 Mar 2019, 10:43

Just filed a report with Norton over one of our versions
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Thanks Tank :thumbup:
User avatar
tank
Posts: 2748
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Irving TX
Contact:

Re: Report False-Positives To Anti-Virus Companies

14 Mar 2019, 07:06

We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Thanks Tank :thumbup:
SOTE
Posts: 741
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

14 Mar 2019, 08:25

tank wrote:
14 Mar 2019, 07:06
Now here is a win after I disputed
http://safeweb.norton.com/report/show?url=autohotkey.com
Great! Amazing that it took them so long for them to do the right thing.
User avatar
tank
Posts: 2748
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Irving TX
Contact:

Re: Report False-Positives To Anti-Virus Companies

14 Mar 2019, 08:26

well actually i been fighting google. Norton only required one explanation and dispute
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Thanks Tank :thumbup:
Sam_
Posts: 106
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 16:01

More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.

Return to “Offtopic”

Who is online

Users browsing this forum: No registered users and 7 guests