Report False-Positives To Anti-Virus Companies

[gregster]

Let me see if I understand you correctly: I contact Virustotal, tell them neither Jotti nor my local antimalware program have found any issue, and would they please recheck? Or do I contact each and every viruschecker individually?

I doubt that Virustotal cares - they only report what they get. Generally, I would contact the individual companies. The first post of this topic can give you some hints and directions.

VT itself says this:

VirusTotal is detecting a legitimate software I have developed, what can I do?
VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.

Please find the company on our contributors page and reach out to them.

and

VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own. As such, if you are experiencing a false positive issue, you should notify the problem to the company producing the erroneous detection, they are the only ones that can fix the issue. Please note that even if we were able to remove the flag, the users of such product would still be blocked from accessing your site.

(red text color added by myself)

If you are contacting some smaller companies, though, chances are that they will never respond.
From personal experience I can tell you, that some AV companies are really bad. I once tried to report a false-positive to a rather small german AV vendor which never responded to requests in English. That's why I used German, multiple times. Even then, I never got meaningful feedback. After all, those companies make money by "finding" threats, not by saying "oh sorry, we were wrong".

[ItisI]

I'm already on it. Working down the list, and if I detect a German company, I'll use my German aswell. Will report back on the issue.

[ItisI]

Here's the first set-back: gMail won't let me upload the "infected" file...

[gregster]

I'm already on it.

Cool, thank you!
btw, it looks like the mentioned german AV vendor is no longer active.

Here's the first set-back: gMail won't let me upload the "infected" file...

Probably they are using VirusTotal - after all, both services are owned by Google. This shows the problems we are facing.
Doesn't the AV company have a website form which you could use instead?

[ItisI]

virus - false positives - AHK
Reporting false detection to antivirus providers
Spent the last 90 minutes trying to contact the vendors on the VirusTotal page that reported malware and also found on your list (announcement). The results are discouraging as I achieved virtually nothing. So sorry, but at least I tried. Open to any suggestions...

==================================
Google refuses upload ("Blocked for security reasons"):
Contacting by email seems futile :/
==================================
Antiy-AVL - Antiy Labs - AVL SDK
Bkav
SentinelOne (Static ML)
Trapmine
==================================
Different reasons
==================================
Rising
"The connection to mailcenter.rising.com.cn is not secure"
Not going to use a "not-secure" connection.
----------------------------------
SecureAge
refuses upload/cannot connect
What do you say to that???
==================================
not on the list
==================================
Cynet
Fortinet
Gridinsoft
Trellix
Webroot

[gregster]

Well, VT has its own Contributors page, mentioned above in a quote. There is eg Cynet and Fortinet in it - haven't checked the others. Of course, there are only links to the homepages and you might have to locate the correct contact/support page or email address yourself.

Generally, I would rather focus on the big industry names and wouldn't care much about some dubious vendors I have never heard about. But then again, if gmail uses VT, what are we going to do? And after the next AHK update, you can perhaps start again with the whole ordeal. I am afraid, it could be a neverending story.

[ItisI]

This is a project and probably useless. All my emails are gmails - sending the files will never work.

I'll think about it a bit more, maybe I'll come up with something.

-----

What I would like to suggest in the meantime:

short article about the situation
referring to the existing article (viewtopic.php?f=17&t=62266), but without this long list. The article should be locked, so that new additions flow into the article only via the author (you?).

publishing the hashes directly with the download links

Code: Select all

ahkv99.exe
ahkv99.exe.sha256

How to articles on checking hashes
Of course, not everybody is comfortable with checking hashes. Help them and provide the needed info.

A PGP signature would be nice!
If you can bring yourself to issue a PGP signature, you will need to include a "How To Verify a PGP Signature" article.

Since you yourself are the subject of false accusations, you need to help users to overcome any doubts they may have.

O well, just my 2 pence...

[ItisI]

Possible progress in sight. Remembered an old trick:

1. Zipped the "AutoHotkey_2.0.3_setup.exe" (password protected)
2. Zipped the the zipped file again (password protected)
3. Send the doubly zipped ((password protected)) file to the vendor (password included) and gMail didn't shout at me.

Will now repeat the exercise with those vendors I can reach by email (and report back)



PS Just found this warning in the sent email:

"Encrypted attachment warning – Be careful with this attachment. This message contains 1 encrypted attachment that can't be scanned for malicious content. Avoid downloading it unless you know the sender and are confident that this email is legitimate."

Well, we'll see ...

[ItisI]

Sort of success :/
Sending the double zipped password protected file worked. SentinalOne already confirmed. I will keep you updated.

1. Antiy-AVL - Antiy Labs - AVL SDK
eMails don't exist anymore
2. Bkav
3. SentinelOne (Static ML)

Reply
Thank you for your feedback.
Our DFI engine is one of many detection layers embedded on our agent, alongside with our state of the art behavioral analysis, reputation engines and sanity layer that ensures accuracy on our deployed agents.
We are constantly tuning our DFI for maximal coverage and minimum false positives. We expect to keep doing it over time as more files are seen in the wild.
We will review your input and make necessary actions as required, please make sure you have submitted the relevant information on the sample in question, and contact details - in case further clarifications are required.
There is no need to contact us for follow up - this report is being processed. We will only contact submitters in rare cases.
To read more about our full solution and see product demos, visit www.sentinelone.com.
Thank you,
SentinelOne Research Group

4. Trapmine

[SOTE]

Sort of success :/
SentinalOne already confirmed. I will keep you updated.

1. Antiy-AVL - Antiy Labs - AVL SDK
eMails don't exist anymore

Thanks for the update and submissions to the companies. Have made the correction on the first page.

[zandra_s]

Around two months ago, I started trying to report false positives. 11 vendors have flagged version 2.0.10.

After a while, these vendors have cleared the malicious flag:
- McAfee-GW-Edition
- Cynet
- SecureAge
- Bkav Pro
- Fortinet
- CrowdStrike Falcon

These vendors seemingly ignore the requests even after contacting them more than once.
- Antiy-AVL
- Rising
- SentinelOne (Static ML)
- Trapmine
- Webroot

I have started submitting reviews on Trustpilot and letting those companies know about it to see if they respond. See the post I have written here:
Reporting False-Positives Is Not Enough

If you can, please join me and let those AV vendors have a public record of ignoring issues like these.

[asheroto]

I noticed this as an issue as well with AV vendors. I have found that if you continue to email them weekly they will eventually fix the false positive. But not sure if all AV vendors will want to do this mainly because of the UI Access which could theoretically be used for bad. Process Hacker, for example, is one that many AV vendors still flag and refuse to make an exception for because it could be used for nefarious purposes.

Today I reached out to the companies listed in the table below to report AutoHotkey as a false positive.

Filename	Number of Detections	Detected By
AutoHotkey Setup	5	Alibaba, Rising, SentinelOne, Trapmine, Webroot
AutoHotkey64_UIA.exe	3	Alibaba, Bkav, Jiangmin
AutoHotkey32_UIA.exe	3	Alibaba, DeepInstinct, Rising
AutoHotkey64.exe	3	Alibaba, Bkav, Jiangmin
AutoHotkey32.exe	3	Alibaba, Rising, Trapmine

Fortunately I am a Webroot partner and am able to contact their support more directly. If they do not remove it through the traditional route, I will reach out to my contacts and see what they say.

If an admin/moderator would like to reach out to me in a PM I will send you a script I wrote that will automatically check the number of detections for each EXE and generate the table above, as well as generating the email addresses and URLs for false positive detection reporting.

I AutoHotkey

(I am not affiliated with AutoHotkey)

[zandra_s]

Version 2.0.11 got released and currently it is flagged by 8 vendors:

Antiy-AVL
Bkav Pro
Fortinet
Gridinsoft (no cloud)
Rising
SecureAge
SentinelOne (Static ML)
Webroot

Today I contacted each company to report the file as a false positive for investigation.

[SOTE]

Another good way to get the attention or punish non-responsive vendors is to apply pressure by e-mailing/contacting VirusTotal, and seeking to get them removed. Removing non-responsive or bad vendors from VirusTotal is helping the public in general.

• VirusTotal Online contact form (https://www.virustotal.com/gui/contact-us).

My site/file has been improperly flagged as harmful (false positive)

• Or call them out as a community member (https://www.virustotal.com/gui/join-us).

[zandra_s]

Status update for version 2.0.11.

These vendors have cleared the flags:
Bkav Pro
Fortinet
Gridinsoft (no cloud)

Webroot has replied but refused to clear the flag. I asked for the reason and got a super vague reply about them having seen AutoHotkey being used maliciously. I have exchanged a couple of messages with them and tried to get a better explanation and the extent of the analysis. I pushed them to evaluate the safety of AutoHotkey in a scenario where the user knows what she's doing and writes her own scripts. I explained the possibility of AutoHotkey getting flagged only because it sometimes gets delivered as a malicious compiled script. Blindly analyzing these patterns an AV engine might flag the AutoHotkey part as harmful. They haven't responded for a while now. Based on the little information they have provided, I don't think they have done anything beyond a shallow look at a couple of patterns.

[submeg]

Just ran into my first issue, which I'm assuming is AV related.

• AHK installed for months

• Left PC on, AV did a "background" scan"

• Tried to run SciTE, error saying it can't run the toolbar.ahk

• Find AHK > SciTE > InternalAHK.exe has been deleted.

• TURN OFF AV (Windows Defender already off)

• Delete all AHK

• Try to install AHK

• AutoHotkeyU32.exe and AutoHotkeyU64.exe missing

What is going on here?! I am more than annoyed at this. I have reported the false positives, but I'm unsure why, even with the AV off, I can't copy the EXEs back?

[slishnevsky]

Two questions:

1. How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
2. Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
   I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?

[gregster]

1. How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
2. Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
   I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?

Obviously, most people won't be able to determine if smth is definitely a false positive, but they have might a (strong) suspicion. That's why we recommend to send the file in question to your antivirus vendor, if in doubt - they should have the expertise to determine if the file is actually malicious or a false positive. In addition, you'll give them the opportunity to fine-tune their products, although I wouldn't put too much hope into long-term improvements.

Apart from the legal questions that the use of "cracked" files raises, of course they can be infected with malicious code. Antivirus software uses a lot of heuristics to identify all variants of a virus (some viruses even change their own code to not get identified). This means, they depend on identifying certain similarities, patterns and behaviours, in order to even identify yet unknown variants of a virus. Of course, there are usually business secrets involved - that's why those AV vendors won't tell you exactly for which details they are looking. But a local scan should be fast (hence simplified and prone to produce false-positives) - if you send them the files, they can have a closer look.

For AHK specifically, probably one of the main problems is that in every compiled program, there is the whole (powerful) AHK interpreter included. This means, even if your script doesn't use keyboard hooks, the AV scan will still notice the ability - and perhaps a certain similarity to a virus which some knucklehead has created with AHK, because the whole interpreter is exactly the same in the virus and your own app (at least if they used the same AHK version - but of course, different AHK versions still have strong similarities).

[amenu]

I got a malware alert from my antivirus, Webroot, when I opened the installation file for version 2 that I downloaded from https://www.autohotkey.com/ . Should I regard this as a false positive and do the installation?

[gregster]

@amenu, probably.
To feel safer, you can check the SHA256 hash for the downloaded file - look for it toward the end of the latest release post (or whatever you are using):
viewtopic.php?f=24&t=111779&p=570714#p570714 or on github https://github.com/AutoHotkey/AutoHotkey/releases
You could also report the file as a potential false positive to Webroot and see how they respond.