Report False-Positives To Anti-Virus Companies

Talk about anything
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Report False-Positives To Anti-Virus Companies

23 Feb 2019, 05:47

This is an ongoing issue that more exotic or less mainstream scripting languages have to face, where they can be targeted by poor practices within Anti-Virus companies or where proper research isn't being done. This includes:

. Wholesale importing hash and database signatures from online sources, without doing proper analysis or verification
. Falsely identifying clean or non-dangerous files as malware to artificially boost Anti-Virus sales or give unsuspecting customers false confidence
. False identification does a disservice to the entire Anti-Virus industry, and can arguably be a form of fraud or a bad business practice
. False-positives decreases customer confidence in the quality of the product and validity of scan results

To combat this situation, here are a list of Anti-Virus online false-positive submission sites (and some e-mail addresses). Google's VirusTotal list uses these major players. The advantage is that if an .exe is falsely identified, we can rapidly submit to many major Anti-Virus companies to have it properly tested and cleared.

. Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.

. McAfee Online Submission for False-Positives: https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html?region=us
Note- Can also send disputed/false-positive files to their e-mail address: virus_research[at]avertlabs.com and virus_research_gateway[at]avertlabs.com

. Comodo Online Submission for False-Positives: https://www.comodo.com/home/internet-security/submit.php

. Avast Online Submission for False-Positives: https://www.avast.com/en-us/false-positive-file-form.php

. Avira Online Submission for False-Positives: https://analysis.avira.com/en/submit

. Bitdefender Online Submission for False-Positives: https://www.bitdefender.com/submit/

. AVG Online Submission for False-Positives: https://www.avg.com/en-us/false-positive-file-form

. Trend Micro Online Submission for False-Positives: https://www.trendmicro.com/en_ph/about/legal/detection-reevaluation.html

. Spybot Search & Destroy Online Submission for False-Positives: https://www.safer-networking.org/support/

. G DATA or G-Data Online Submission for False-Positives: https://su.gdatasoftware.com/us/sample-submission/

. VIPRE or ThreatTrack Online Submission for False-Positives: https://www.vipre.com/support/submit-false-positive/

. SecureAge APEX or SecureAPlus Online Submission for False-Positives: https://www.secureaplus.com/features/antivirus/report-false-positive/

. ClamAV and Immunet Online Submission for False-Positives: http://www.immunet.com/false_positive
Note- These products are tied to Cisco, so their impact should not be underestimated.

. Norton or Symantec or Blue Coat Online Submission: https://symsubmit.symantec.com
Note 1- You must choose the option of Incorrectly Detected by Symantec at the top
Note 2- You must fill out their form, which has multiple questions before the submission step

. Aegislab Online Submission for False-Positives: https://aegislab.com/Support/
Note- Taiwan based company on Google's VirusTotal list, where you might have to add an exception (at least temporarily) for their SSL certificate

. K7 or K7AntiVirus Online Submission for False-Positives: https://support.k7computing.com/index.php?/ticket/submit-ticket
Note- Choose False Positive under "Category". And it's best to put "False Positive: file being detected by K7" for "Subject"

. eGambit Online Submission for False-Positives: https://tehtris.com/egambit_fp.php
Note- They may ask for more details or follow-up questions.

. Rising Anti-virus Online Submission for False-Positives: http://mailcenter.rising.com.cn/filecheck_en/
Note- Chinese company. English support limited.

. Qihoo or 360 Safeguard Online Submission for False-Positives: http://www.360totalsecurity.com/en/suspicion/false-positive/
Note- Chinese company; on VirusTotal. English support. Also known for controversies over certification and it's detection engine.

. VirusTotal Online contact form. https://www.virustotal.com/gui/contact-us
Note- Can send feedback/complaints about ratings, companies, and false-positives. Select the correct subject.

Code: Select all

My site/file has been improperly flagged as harmful (false positive)
. Sophos Online Submission: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx
Note- With Sophos, you have to specifically clarify that you are reporting a false-positive.

Code: Select all

"Why do you want to send this sample?" section.
This file, thefile.exe, has been falsely detected as malware by Sophos.  I want thefile.exe removed from your list.
. F-Secure Online Submission for False-Positives link 1: https://www.f-secure.com/en/web/labs_global/submit-a-sample
Note- With F-Secure you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I want to give more details about this sample and to be notified of the analysis results" click check box
This file, thefile.exe, has been falsely detected as malware by F-Secure.  I want thefile.exe removed from your list.
. F-Secure Online Submission for False-Positives link 2: https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample
Note- With F-Secure you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I want to give more details about this sample and to be notified of the analysis results" click check box
This file, thefile.exe, has been falsely detected as malware by F-Secure.  I want thefile.exe removed from your list.
. F-Prot or Cyren Online Submission for False-Positives: https://kb.cyren.com/av-support/?/Tickets/Submit/RenderForm/7
Note- With F-Prot or Cyren you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I think is falsely classified as malware" Misclassification Reason*
This file, thefile.exe, has been falsely detected as malware by F-Prot or Cyren.  I want thefile.exe removed from your list.
. Nano Online Submission: https://www.nanoav.pro/index.php?option=com_content&view=article&id=15&Itemid=83&lang=en
Note- Russian based company with English support. Need to specifically clarify that you are reporting a false-positive.

Code: Select all

"False Detection under" Theme*
. Endgame Online Customer Support Form: https://www.endgame.com/company/customer-support
Note- Online customer support form with no attachment, have to send complaint first, then respond to email they send.

Code: Select all

Select- "VirusTotal Feedback" for Type*
. Zillya Online Submission for False-Positives: http://zillya.org/en/support.html
Note- Ukrainian company that provides English support. Need to specifically clarify that you are reporting a false-positive

Code: Select all

I'm reporting about a false-positive.
. Zoner AntiVirus Online Contact Form: http://www.zonerantivirus.com/kontaktni-formular-zakaznicke-podpory
Note- Czech based company with English support.
Online customer support form with no attachment, have to send complaint first, then respond to email they send.

Code: Select all

I'm reporting about a false-positive.
. Max Secure Online Customer Support Form: https://www.maxsecureantivirus.com/submit_aFalse_Positive.htm
Note 1- Online customer support form with no attachment, have to send complaint first, then respond to email they send.
Note 2- On the online form, you can send them a download link of where the files you want them to see are located.
You must specifically state in the message that you are reporting a false-positive.

Code: Select all

I'm reporting about a false-positive.
. Quttera Online Submission for False-Positives: https://helpdesk.quttera.com/open.php
Note 1- Can also send false-positive files to their e-mail address: support[at]quttera.com
Note 2- No attachment, will open a ticket first. Send complaint first, then respond to email they send.
You must choose the correct Help Topic for reporting a false-positive.

Code: Select all

Report A Problem/Report A False-Positive
. CLEAN MX Online Customer Support Form: http://www.clean-mx.de/?7_kontakt.php
Note- Appears to be German company. English support questionable. Odd player that Google somehow lists on VirusTotal. Online customer support form in German only, with no attachment, have to send complaint first, then respond to email they send. You may need to send 2 complaints, one in English, the other in German (using Google Translate) to get a response. You must specifically state in the message that you are reporting a false-positive.

Code: Select all

I'm reporting about a false-positive.
. Kaspersky E-mail Submission for False-Positives: info[at]kaspersky.com and newvirus[at]kaspersky.com
Note- Russian company. Responsiveness to reporting false positives a known issue. Probably best to e-mail both addresses. Suggested format to submit below:

Code: Select all

To: info[at]kaspersky.com
cc: newvirus[at]kaspersky.com
Subject: False Positive: file being detected by Kaspersky
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. Panda E-mail Submission for False-Positives: support[at]pandasecurity.com and falsepositives[at]pandasecurity.com
Note- Probably best to e-mail both addresses. Suggested format to submit below:

Code: Select all

To: support[at]pandasecurity.com
cc: falsepositives[at]pandasecurity.com
Subject: False Positive: file being detected by Panda
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. Emsisoft or EMSI E-mail Submission for False-Positives: fp[at]emsisoft.com
Note- Should be submitted in the below format

Code: Select all

To: fp[at]emsisoft.com
Subject: False Positive: file being detected by Emsisoft
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. ESET E-mail Submission for False-Positives: samples[at]eset.com
Note- Should be submitted in the below format

Code: Select all

To: samples[at]eset.com
Subject: False Positive: file being detected by ESET
Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

    Product: 
    Engine: 
    Description of issue: This file has been falsely detected as malware
. McAfee E-mail Submission for False: virus_research[at]avertlabs.com and virus_research_gateway[at]avertlabs.com
Note- Needs to be submitted in the below format.

Code: Select all

To: virus_research[at]avertlabs.com
cc: virus_research_gateway[at]avertlabs.com
Subject: FALSE: file being detected by McAfee.
Email body text:

Could you please check the attached file, as I think it is a false-positive detection. Here are my product details:

    Product: McAfee Security Center 16.0 (Example- put in correct info)
    Engine: 3181.0 (Example- put in correct info)
    Description of issue: This file has been detected as malware
. McAfee has an additional E-mail submission for developers to be included in their test rig for False-Positives; datasubmission[at]mcafee.com

Code: Select all

To: datasubmission[at]mcafee.com
Subject: Files for false positive testing by McAfee
Email body text:

I'm a developer that wishes to include my files in your False Positive Test Rig.  Can you please give me additional instructions and a link for uploading.
. Quttera E-mail Submission for False-Positives: support[at]quttera.com
Note- You can also send comments or open a help ticket at https://helpdesk.quttera.com/open.php

Code: Select all

To: support[at]quttera.com
Subject: False Positive: file being detected by Quttera
Email body text:

Could you please check the attached file, as I think it is a false-positive detection. 

    Description of issue: This file has been falsely detected as malware
. ADMINUSLabs E-mail Submission for False-Positives: falsepositive[at]adminuslabs.net
Note- If you have complaints or comments, can use https://www.adminuslabs.net/Contact.html
E-mail with attachment should be submitted in the below format

Code: Select all

To: falsepositive[at]adminuslabs.net
Subject: False Positive: file being detected by ADMINUSLabs
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Acronis scanner E-mail Submission for False-Positives: virustotal-falsepositive[at]acronis.com
E-mail with attachment should be submitted in the below format

Code: Select all

To: virustotal-falsepositive[at]acronis.com
Subject: False Positive: file being detected by Acronis scanner
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Palo Alto or LightCyber E-mail Submission for False-Positives: lightcyber-support[at]paloaltonetworks.com
Note- LightCyber is a malware detection engine used by Palo Alto. This company is a VirusTotal contributor
E-mail with attachment should be submitted in the below format

Code: Select all

To: lightcyber-support[at]paloaltonetworks.com
Subject: False Positive: file being detected by Palo Alto product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Ikarus E-mail Submission for False-Positives: support[at]ikarus.at
E-mail with attachment should be submitted in the below format

Code: Select all

To: support[at]ikarus.at
Subject: False Positive: file being detected by Ikarus product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Vba32 or VirusBlokAda E-mail Submission for False-Positives: support-en[at]anti-virus.by
E-mail with attachment should be submitted in the below format

Code: Select all

To: support-en[at]anti-virus.by
Subject: False Positive: file being detected by VirusBlokAda product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Trapmine E-mail Submission for False-Positives: support[at]trapmine.com and info[at]trapmine.com
E-mail with attachment should be submitted in the below format

Code: Select all

To: support[at]trapmine.com
cc: info[at]trapmine.com
Subject: False Positive: file being detected by a Trapmine product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. SentinelOne (Static ML) E-mail Submission for False-Positives: report[at]sentinelone.com and support[at]sentinelone.com
E-mail with attachment should be submitted in the below format

Code: Select all

To: report[at]sentinelone.com
cc: support[at]sentinelone.com
Subject: False Positive: file being detected by the SentinelOne product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Bkav E-mail Submission for False-Positives: bkav[at]bkav.com.vn and DuAn[at]bkav.com
Note- Vietnamese company, but does provide some English service and support.
E-mail with attachment should be submitted in the below format

Code: Select all

To: bkav[at]bkav.com.vn
cc: DuAn[at]bkav.com
Subject: False Positive: file being detected by a Bkav product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Jiangmin E-mail Submission for False-Positives: support[at]jiangmin.com and whitelist[at]jiangmin.com
Note- Chinese company. You might also want to send a 2nd Google Translate version of the e-mail in Chinese.
E-mail with attachment should be submitted in the below format

Code: Select all

To: support[at]jiangmin.com
cc: whitelist[at]jiangmin.com
Subject: False Positive: file being detected by a Jiangmin product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Antiy-AVL, Antiy Labs, or AVL SDK E-mail Submission for False-Positives: support[at]antiy.cn
Note- Chinese company. Appears to provide English support.
E-mail with attachment should be submitted in the below format

Code: Select all

To: support[at]antiy.cn
Subject: False Positive: file being detected by an Antiy product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. CrowdStrike or CrowdStrike Falcon E-mail Submission for False-Positives: VTscanner[at]crowdstrike.com and support[at]crowdstrike.com
E-mail with attachment should be submitted in the below format

Code: Select all

To: VTscanner[at]crowdstrike.com
cc: support[at]crowdstrike.com
Subject: False Positive: file being detected by an CrowdStrike product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. FireEye or FireEye Mandiant E-mail Submission for False-Positives: investigations[at]mandiant.com and support[at]mandiant.com
E-mail with attachment should be submitted in the below format

Code: Select all

To: investigations[at]mandiant.com
cc: support[at]mandiant.com
Subject: False Positive: file being detected by an Fireeye product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. Yomi Hunter or Yoroi E-mail Submission for False-Positives: info[at]yoroi.company
Note- Appears to be Italian company using Japanese names
E-mail with attachment should be submitted in the below format

Code: Select all

To: info[at]yoroi.company

Subject: False Positive: file being detected by an Yoroi product
Email body text:

Could you please check the attached file, as I think it is a false detection. 

    Description of issue: This file has been falsely detected as malware
. StopBadware Request A Review: https://www.stopbadware.org/clearinghouse/search
Note- This organization is related to Google, VirusTotal, and Mozilla's Firefox. Their opinions or decisions can have a major impact.

. Check Point or Zone Alarm Online trouble ticket or chat: https://www.checkpoint.com/support-services/contact-support/
Note- This is a problematic system, where people are forced to sign-up, then you have to open a ticket or do a chat.
Otherwise, you can call them by phone, but obviously you won't be able to send attachments that way.

. Malwarebytes Online Forum Review: https://forums.malwarebytes.com/forum/122-false-positives/
Note- This is a problematic system, where people are forced to sign-up, before making a report about their product. However, their product is famous.
Last edited by SOTE on 25 Aug 2023, 13:01, edited 51 times in total.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 10:12

That list is old and not updated (not since 2016), so various links on it don't work. It's arguably better for the community to have an updated list. The old list doesn't quite match the major players that Google uses on VirusTotal and who are the top Anti-Virus companies now, so they can be missing some (likely newer companies, newer international companies, or those that became more popular recently) that would be used.

Where possible, I also try to make online submission the priority, to help speed up the multiple submit process.
guest3456
Posts: 3453
Joined: 09 Oct 2013, 10:31

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 14:27

SOTE wrote:
24 Feb 2019, 10:12
That list is old and not updated (not since 2016), so various links on it don't work.
what links don't work? yes it says 2016 but i've been using that list for years any time my exe gets flagged by virustotal, and the links have always worked. i'm sure its been updated since 2016 and they just didn't update the date.

SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 14:52

guest3456 wrote:
24 Feb 2019, 14:27
SOTE wrote:
24 Feb 2019, 10:12
That list is old and not updated (not since 2016), so various links on it don't work.
what links don't work? yes it says 2016 but i've been using that list for years any time my exe gets flagged by virustotal, and the links have always worked. i'm sure its been updated since 2016 and they just didn't update the date.
I'm not quite understanding your purpose. I hope it's not simply to promote that website. I responded to you accurately, and the list here, is for the benefit of the AHK community. Why you are trying to battle for or push for an outdated list from another website is perplexing.

1) That old list contains incorrect links, versus the list that I posted has updated links, e-mails, and information.

If you review all the links, then that will become very clear. Not to mention the web page makes it clear that it's old.
Last updated by site.editor on 15. September 2016 - 05:50

Recent Changelog:

11/22/2014-Added XVirus to the list

11/24/2014-Removed online submission link for submitting false positives to Digital Defender as it was no longer working

11/30/2015-Added English submission links for Qihoo
2) The list I gave has some different Anti-Virus vendors on it and more strongly aligns to key players from Google's VirusTotal website.

Google and VirusTotal has a massive influence on public perception, arguably much more than an old article buried on somebody else's website. If they were updating it and it didn't have a lot of old or broken links, then I would have no problem recommending it and would not have created a new one. However, many can understand that the AHK community should have it's own list, tailored to it's situation.

3) A list here (for the AHK community) can keep track of the top Anti-Virus vendors (which changes), and any specific ones that need special attention.
guest3456
Posts: 3453
Joined: 09 Oct 2013, 10:31

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 18:57

lol. i simply posted a link that has worked for me that has way more vendors than you listed. and no links have ever failed. i asked you to post an example link that doesn't work, and you ignore it. i know for a fact that its been updated more recently than it says, because i see new vendors on there that i haven't seen before.

i'm trying to help you. but feel free to waste your time maintaining your own list then. seems like thats what you want to do.

SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

24 Feb 2019, 21:22

what links don't work? yes it says 2016 but i've been using that list for years any time my exe gets flagged by virustotal, and the links have always worked.

and no links have ever failed...
The statements about the links are obviously false or gravely mistaken. I have easily proven them to be, with a short list below. I could have went on and on with broken or incorrect links from the other website, but I'm not going to waste more time than necessary with obviously incorrect or mistaken statements. Why you have come to this post to do that is perplexing and a disservice to the AHK community. You say that you are trying to be helpful, but such actions are not. I hope you are just misguided and don't realize how mistaken that you are on this particular issue. You are a long time member, so hopefully you will look at this differently at some point or allow others to view an updated list.

1) The following links are broken!

F-secure - they give the wrong false-positive submission link

Avast - their false-positive submission link is broken

ClamAV - their false-positive link goes nowhere

Immunet - their false-positive submission link is wrong

Aegislab - they don't have the correct false-positive submission link

K7 - does not have their false-positive submission link

Sophos - they do not give the correct false-positive submission link

I could go on and on, but it's very obvious what's going on...

2) Why purposely ignore the update times on the web page?

Why would anybody update a list, yet not take the 3 seconds to update the Recent Changelog.

3) The list here reflects key players on Google and VirusTotal, and focuses on false-positives, while the other old list does not.

There are some different vendors between the lists, and they have a bunch not used by VirusTotal. Thus their list (for now and because it's not updated) is not as relevant for helping the AHK community combat false-positives. We should not want people submitting to vendors that will not help stop the false-positive problem, not help how VirusTotal scores them, won't change the public perception about their software, have little influence on the market, or is a vendor with a low number of users.
User avatar
nnnik
Posts: 4500
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Report False-Positives To Anti-Virus Companies

25 Feb 2019, 07:20

Why would anybody update a list, yet not take the 3 seconds to update the Recent Changelog.
I do that.
Recommends AHK Studio
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Report False-Positives To Anti-Virus Companies

25 Feb 2019, 09:33

Thank you SOTE and guest3456. both sources could provide valuable information, but i agree a verified maintained list on our boards is extremely valuable. I hope you both can come together in this effort instead of trying to "win"
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
User avatar
Tigerlily
Posts: 377
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

26 Feb 2019, 04:50

Thank you all for posting this valuable resource, thank you all for donating your time for good causes - this is a big issue, especially for businesses and end users of AutoHotkey-made software/applications. It provides a misleading barrier regarding the adoption of AutoHotkey in various important settings. I have already submitted once to MSDN, but haven't ran into an issue at my place of work since then - unfortunately, with new creations being made and implemented, I know that this will continue to be an issue that hurts this spectacular scripting language. I agree with SOTE that a massive effort from the community to de-stygmative AutoHotkey executibles by sending a multitude of false-positive alerts to the AV companies that are disservicing and misrepresenting AutoHotkey is a good idea.

AutoHotkey being automatically flagged as malware could also be stopped by "de-bunking" the notion that AHK exe's are inherently malicious. Building trust and reputation via the AV companies and Google makes sense from this perspective, because by building trust at the corporate level is important, but also, from another viewpoint: "safe" PR around AutoHotkey must also find it's way around the net and into Google's eyes for them to start saying "Hey, this site, the community, and the language is reputable, important, and not a risk to those searching for content around the web." Those who have content out there on AutoHotkey, like websites that receive traffic, should consider creating content with this in mind. I beleive it's an important part of this annoying puzzle. I hope to publish some content re: this when I have the capacity.

I will go ahead and send in some safe AHK.exe's I have written into all these verified AV companies to help catalyze this process. It may take me some time to get around to all of them, but I'll make some time for it.
-TL
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

26 Feb 2019, 05:15

Thanks tank and Tigerlily.

And tank, I agree. The "win" should be for the AHK community. I hope guest3456 and I can find common ground and things to agree on.

nnnik, LOL! I understand being in a hurry, but a few extra seconds though...
User avatar
gwarble
Posts: 524
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 08:25

Thanks for making this list, by far the most feedback I get from users is about false positives, which have only gotten more preventative over the last few years. I will be referring them to this list.

Has anyone determined if signing the executable has an impact on the false positives generated? I usually get between 2 and 8 false positives on VirusTotal with compiled scripts depending on the ahk version and/or what the script actually does, and would be interested to see if a code signing certificate would help these prevent any/all false positives.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 09:35

gwarble wrote:
12 Mar 2019, 08:25
code signing certificate
The entire perhaps only purpose of code signing is to ensure you are receiving unmodified code from the release. Virus companies care about known patterns in the code not certificates
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
User avatar
gwarble
Posts: 524
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 11:52

Are you sure?

Because antivirus company's main goal is to make money not find known patterns, so they would have an incentive to not flag legitimate software and drive away customers.

This is only speculation, but i hope to some day test it specifically.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

12 Mar 2019, 15:49

gwarble wrote:
12 Mar 2019, 11:52
Are you sure?

Because antivirus company's main goal is to make money not find known patterns, so they would have an incentive to not flag legitimate software and drive away customers.

This is only speculation, but i hope to some day test it specifically.
My understanding of it, is that a code signing certificate and digital certificate helps with the UAC, not necessarily whether or not an Anti-Virus company will flag it as malware. Without it, the UAC will give the unknown publisher alert, but the Anti-Virus software is not directly tied to UAC alerts.

Since the user has to manually decide if they will proceed with the installation, after the UAC alert, then it's arguably on them. This trust from the user, also has other factors involved. For instance the reputation or trust in the website they are downloading it from or if the company/author of the software is known, not just if the software has a certificate.

Though if your executable has no product name nor file description, it's more likely to be flagged as malware. The UAC alert is not based on what you put for product name and description, but rather if you have a certificate, so these are not related.

Various websites that specialize in software can have their own testing programs, such as Softpedia. They can review and certify that your software is safe. It's not clear to what extent this has pull among the top Anti-Virus vendors, and avoids the software being flagged as malware in the future, but it's likely the website distributing your software will inform you of any problems at the time of their certifying process. But the flip side of this for a software developer is getting bad or lower than expected reviews/ratings from users (or even sly competitors) on that website, to include staff of the website reviewing the software, or their software being lumped in with their competitors versus being displayed solely on your own website without any competition or comparison.
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Report False-Positives To Anti-Virus Companies

13 Mar 2019, 10:43

Just filed a report with Norton over one of our versions
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Report False-Positives To Anti-Virus Companies

14 Mar 2019, 07:06

We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

14 Mar 2019, 08:25

tank wrote:
14 Mar 2019, 07:06
Now here is a win after I disputed
http://safeweb.norton.com/report/show?url=autohotkey.com
Great! Amazing that it took them so long for them to do the right thing.
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Report False-Positives To Anti-Virus Companies

14 Mar 2019, 08:26

well actually i been fighting google. Norton only required one explanation and dispute
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
Sam_
Posts: 146
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 16:01

More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.

Return to “Off-topic Discussion”

Who is online

Users browsing this forum: No registered users and 36 guests