Page 6 of 6
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 01:59
by gregster
ItisI wrote: โ05 Jul 2023, 01:45
Let me see if I understand you correctly: I contact Virustotal, tell them neither Jotti nor my local antimalware program have found any issue, and would they please recheck? Or do I contact each and every viruschecker individually?
I doubt that Virustotal cares - they only report what they get. Generally, I would contact the individual companies. The
first post of this topic can give you some hints and directions.
VT itself says this:
and
(red text color added by myself)
If you are contacting some smaller companies, though, chances are that they will never respond.
From personal experience I can tell you, that some AV companies are really bad. I once tried to report a false-positive to a rather small german AV vendor which never responded to requests in English. That's why I used German, multiple times. Even then, I never got meaningful feedback. After all, those companies make money by "finding" threats, not by saying "oh sorry, we were wrong".
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 02:11
by ItisI
I'm already on it. Working down the list, and if I detect a German company, I'll use my German aswell. Will report back on the issue.
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 02:21
by ItisI
Here's the first set-back: gMail won't let me upload the "infected" file...
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 02:25
by gregster
I'm already on it.
Cool, thank you!
btw, it looks like the mentioned german AV vendor is no longer active.
Here's the first set-back: gMail won't let me upload the "infected" file...
Probably they are using VirusTotal
- after all, both services are owned by Google. This shows the problems we are facing.
Doesn't the AV company have a website form which you could use instead?
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 03:15
by ItisI
virus - false positives - AHK
Reporting false detection to antivirus providers
Spent the last 90 minutes trying to contact the vendors on the VirusTotal page that reported malware and also found on your list (announcement). The results are discouraging as I achieved virtually nothing. So sorry, but at least I tried. Open to any suggestions...
==================================
Google refuses upload ("Blocked for security reasons"):
Contacting by email seems futile :/
==================================
Antiy-AVL - Antiy Labs - AVL SDK
Bkav
SentinelOne (Static ML)
Trapmine
==================================
Different reasons
==================================
Rising
"The connection to mailcenter.rising.com.cn is not secure"
Not going to use a "not-secure" connection.
----------------------------------
SecureAge
refuses upload/cannot connect
What do you say to that???
==================================
not on the list
==================================
Cynet
Fortinet
Gridinsoft
Trellix
Webroot
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 03:33
by gregster
Well, VT has its own
Contributors page, mentioned above
in a quote. There is eg Cynet and Fortinet in it - haven't checked the others. Of course, there are only links to the homepages and you might have to locate the correct contact/support page or email address yourself.
Generally, I would rather focus on the big industry names and wouldn't care much about some dubious vendors I have never heard about. But then again, if gmail uses VT, what are we going to do? And after the next AHK update, you can perhaps start again with the whole ordeal.
I am afraid, it could be a neverending story.
Re: Report False-Positives To Anti-Virus Companies
Posted: 05 Jul 2023, 04:51
by ItisI
This is a project and probably useless. All my emails are gmails - sending the files will never work.
I'll think about it a bit more, maybe I'll come up with something.
-----
What I would like to suggest in the meantime:
short article about the situation
referring to the existing article (
viewtopic.php?f=17&t=62266), but without this long list. The article should be locked, so that new additions flow into the article
only via the author (you?).
publishing the hashes directly with the download links
How to articles on checking hashes
Of course, not everybody is comfortable with checking hashes. Help them and provide the needed info.
A PGP signature would be nice!
If you can bring yourself to issue a PGP signature, you will need to include a "How To Verify a PGP Signature" article.
Since you yourself are the subject of false accusations, you need to help users to overcome any doubts they may have.
O well, just my 2 pence...
Re: Report False-Positives To Anti-Virus Companies
Posted: 06 Jul 2023, 02:41
by ItisI
Possible progress in sight. Remembered an old trick:
1. Zipped the "AutoHotkey_2.0.3_setup.exe" (password protected)
2. Zipped the the zipped file again (password protected)
3. Send the doubly zipped ((password protected)) file to the vendor (password included) and gMail didn't shout at me.
Will now repeat the exercise with those vendors I can reach by email (and report back)
PS Just found this warning in the sent email:
"Encrypted attachment warning โ Be careful with this attachment. This message contains 1 encrypted attachment that can't be scanned for malicious content. Avoid downloading it unless you know the sender and are confident that this email is legitimate."
Well, we'll see ...
Re: Report False-Positives To Anti-Virus Companies
Posted: 06 Jul 2023, 02:58
by ItisI
Sort of success :/
Sending the double zipped password protected file worked. SentinalOne already confirmed. I will keep you updated.
1. Antiy-AVL - Antiy Labs - AVL SDK
eMails don't exist anymore
2. Bkav
3. SentinelOne (Static ML)
Reply
Thank you for your feedback.
Our DFI engine is one of many detection layers embedded on our agent, alongside with our state of the art behavioral analysis, reputation engines and sanity layer that ensures accuracy on our deployed agents.
We are constantly tuning our DFI for maximal coverage and minimum false positives. We expect to keep doing it over time as more files are seen in the wild.
We will review your input and make necessary actions as required, please make sure you have submitted the relevant information on the sample in question, and contact details - in case further clarifications are required.
There is no need to contact us for follow up - this report is being processed. We will only contact submitters in rare cases.
To read more about our full solution and see product demos, visit
www.sentinelone.com.
Thank you,
SentinelOne Research Group
4. Trapmine
Re: Report False-Positives To Anti-Virus Companies
Posted: 25 Aug 2023, 13:03
by SOTE
ItisI wrote: โ06 Jul 2023, 02:58
Sort of success :/
SentinalOne already confirmed. I will keep you updated.
1. Antiy-AVL - Antiy Labs - AVL SDK
eMails don't exist anymore
Thanks for the update and submissions to the companies. Have made the correction on the first page.
Re: Report False-Positives To Anti-Virus Companies
Posted: 16 Nov 2023, 09:20
by zandra_s
Around two months ago, I started trying to report false positives. 11 vendors have flagged version 2.0.10.
After a while, these vendors have cleared the malicious flag:
- McAfee-GW-Edition
- Cynet
- SecureAge
- Bkav Pro
- Fortinet
- CrowdStrike Falcon
These vendors seemingly ignore the requests even after contacting them more than once.
- Antiy-AVL
- Rising
- SentinelOne (Static ML)
- Trapmine
- Webroot
I have started submitting reviews on Trustpilot and letting those companies know about it to see if they respond. See the post I have written here:
Reporting False-Positives Is Not Enough
If you can, please join me and let those AV vendors have a public record of ignoring issues like these.
Re: Report False-Positives To Anti-Virus Companies
Posted: 18 Dec 2023, 14:53
by asheroto
I noticed this as an issue as well with AV vendors. I have found that if you continue to email them weekly they will eventually fix the false positive. But not sure if all AV vendors will want to do this mainly because of the UI Access which could theoretically be used for bad. Process Hacker, for example, is one that many AV vendors still flag and refuse to make an exception for because it could be used for nefarious purposes.
Today I reached out to the companies listed in the table below to report AutoHotkey as a false positive.
Filename |
Number of Detections |
Detected By |
AutoHotkey Setup |
5 |
Alibaba, Rising, SentinelOne, Trapmine, Webroot |
AutoHotkey64_UIA.exe |
3 |
Alibaba, Bkav, Jiangmin |
AutoHotkey32_UIA.exe |
3 |
Alibaba, DeepInstinct, Rising |
AutoHotkey64.exe |
3 |
Alibaba, Bkav, Jiangmin |
AutoHotkey32.exe |
3 |
Alibaba, Rising, Trapmine |
Fortunately I am a Webroot partner and am able to contact their support more directly. If they do not remove it through the traditional route, I will reach out to my contacts and see what they say.
If an admin/moderator would like to reach out to me in a PM I will send you a script I wrote that will automatically check the number of detections for each EXE and generate the table above, as well as generating the email addresses and URLs for false positive detection reporting.
I
AutoHotkey
(I am not affiliated with AutoHotkey)
Re: Report False-Positives To Anti-Virus Companies
Posted: 04 Jan 2024, 14:28
by zandra_s
Version 2.0.11 got released and currently it is flagged by 8 vendors:
Antiy-AVL
Bkav Pro
Fortinet
Gridinsoft (no cloud)
Rising
SecureAge
SentinelOne (Static ML)
Webroot
Today I contacted each company to report the file as a false positive for investigation.
Re: Report False-Positives To Anti-Virus Companies
Posted: 16 Jan 2024, 06:22
by SOTE
Another good way to get the attention or punish non-responsive vendors is to apply pressure by e-mailing/contacting VirusTotal, and seeking to get them removed. Removing non-responsive or bad vendors from VirusTotal is helping the public in general.
My site/file has been improperly flagged as harmful (false positive)
Re: Report False-Positives To Anti-Virus Companies
Posted: 19 Jan 2024, 11:25
by zandra_s
Status update for version 2.0.11.
These vendors have cleared the flags:
Bkav Pro
Fortinet
Gridinsoft (no cloud)
Webroot has replied but refused to clear the flag. I asked for the reason and got a super vague reply about them having seen AutoHotkey being used maliciously. I have exchanged a couple of messages with them and tried to get a better explanation and the extent of the analysis. I pushed them to evaluate the safety of AutoHotkey in a scenario where the user knows what she's doing and writes her own scripts. I explained the possibility of AutoHotkey getting flagged only because it sometimes gets delivered as a malicious compiled script. Blindly analyzing these patterns an AV engine might flag the AutoHotkey part as harmful. They haven't responded for a while now. Based on the little information they have provided, I don't think they have done anything beyond a shallow look at a couple of patterns.
Re: Report False-Positives To Anti-Virus Companies
Posted: 19 Jan 2024, 16:05
by submeg
Just ran into my first issue, which I'm assuming is AV related.
- Left PC on, AV did a "background" scan"
- Tried to run SciTE, error saying it can't run the toolbar.ahk
- Find AHK > SciTE > InternalAHK.exe has been deleted.
- TURN OFF AV (Windows Defender already off)
- AutoHotkeyU32.exe and AutoHotkeyU64.exe missing
What is going on here?! I am more than annoyed at this. I have reported the false positives, but I'm unsure why, even with the AV off, I can't copy the EXEs back?
Re: Report False-Positives To Anti-Virus Companies
Posted: 19 Mar 2024, 07:07
by slishnevsky
Two questions:
- How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
- Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?
Re: Report False-Positives To Anti-Virus Companies
Posted: 19 Mar 2024, 09:15
by gregster
slishnevsky wrote: โ19 Mar 2024, 07:07
- How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
- Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?
Obviously, most people won't be able to determine if smth is definitely a false positive, but they have might a (strong) suspicion. That's why we recommend to send the file in question to your antivirus vendor, if in doubt - they
should have the expertise to determine if the file is actually malicious or a false positive. In addition, you'll give them the opportunity to fine-tune their products, although I wouldn't put too much hope into long-term improvements.
Apart from the legal questions that the use of "cracked" files raises, of course they can be infected with malicious code. Antivirus software uses a lot of heuristics to identify all variants of a virus (some viruses even change their own code to not get identified). This means, they depend on identifying certain similarities, patterns and behaviours, in order to even identify yet unknown variants of a virus. Of course, there are usually business secrets involved - that's why those AV vendors won't tell you exactly for which details they are looking. But a local scan should be fast (hence simplified and prone to produce false-positives) - if you send them the files, they can have a closer look.
For AHK specifically, probably one of the main problems is that in every compiled program, there is the whole (powerful) AHK interpreter included. This means, even if your script doesn't use keyboard hooks, the AV scan will still notice the ability - and perhaps a certain similarity to a virus which some knucklehead has created with AHK, because the whole interpreter is exactly the same in the virus and your own app (at least if they used the same AHK version - but of course, different AHK versions still have strong similarities).