What to do in case of AVirus false positives ?

Here is a list of actions that will help you find some answers, and take the proper actions

This is an ongoing issue that more exotic or less mainstream scripting languages have to face, where they can be targeted by poor practices within Anti-Virus companies or where proper research isn't being done. This includes:

. Wholesale importing hash and database signatures from online sources, without doing proper analysis or verification

. Falsely identifying clean or non-dangerous files as malware to artificially boost Anti-Virus sales or give unsuspecting customers false confidence

. False identification does a disservice to the entire Anti-Virus industry, and can arguably be a form of fraud or a bad business practice

. False-positives decreases customer confidence in the quality of the product and validity of scan results

To combat this situation, here are a list of Anti-Virus online false-positive submission sites (and some e-mail addresses). Google's VirusTotal list uses these major players. The advantage is that if an .exe is falsely identified, we can rapidly submit to many major Anti-Virus companies to have it properly tested and cleared.

. Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission

Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.

. Comodo Online Submission for False-Positives: https://www.comodo.com/home/internet-security/submit.php

. Avast Online Submission for False-Positives: https://www.avast.com/en-us/false-positive-file-form.php

. Avira Online Submission for False-Positives: https://analysis.avira.com/en/submit

. Bitdefender Online Submission for False-Positives: https://www.bitdefender.com/submit/

. AVG Online Submission for False-Positives: https://www.avg.com/en-us/false-positive-file-form

. Trend Micro Online Submission for False-Positives: https://www.trendmicro.com/en_ph/about/legal/detection-reevaluation.html

. Spybot Search & Destroy Online Submission for False-Positives: https://www.safer-networking.org/support/

. G DATA or G-Data Online Submission for False-Positives: https://su.gdatasoftware.com/us/sample-submission/

. VIPRE or ThreatTrack Online Submission for False-Positives: https://www.vipre.com/support/submit-false-positive/

. ClamAV and Immunet Online Submission for False-Positives: http://www.immunet.com/false_positive

Note- These products are tied to Cisco, so their impact should not be underestimated.

. Norton or Symantec or Blue Coat Online Submission: https://submit.symantec.com/false_positive/

Note- You must fill out their form, which has multiple questions before the submission step

. Aegislab Online Submission for False-Positives: https://aegislab.com/Support/

Note- Taiwan based company on Google's VirusTotal list, where you might have to add an exception (at least temporarily) for their SSL certificate

. K7 or K7AntiVirus Online Submission for False-Positives: https://support.k7computing.com/index.php?/ticket/submit-ticket

Note- Choose False Positive under "Category". And it's best to put "False Positive: file being detected by K7" for "Subject"

. eGambit Online Submission for False-Positives: https://tehtris.com/egambit_fp.php

Note- They may ask for more details or follow-up questions.

. Rising Anti-virus Online Submission for False-Positives: http://mailcenter.rising.com.cn/filecheck_en/

Note- Chinese company. English supported limited.

. Qihoo or 360 Safeguard Online Submission for False-Positives: http://www.360totalsecurity.com/en/suspicion/false-positive/

Note- Chinese company; on VirusTotal. English support. Also known for controversies over certification and it's detection engine.

. Sophos Online Submission: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx

Note- With Sophos, you have to specifically clarify that you are reporting a false-positive.

Code: Select all

"Why do you want to send this sample?" section.

This file, fkernel.exe, has been falsely detected as malware by Sophos. I want fkernel.exe removed from your list.

. F-Secure Online Submission for False-Positives: https://www.f-secure.com/en/web/labs_global/submit-a-sample

Note- With F-Secure you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I want to give more details about this sample and to be notified of the analysis results" click check box

This file, fkernel.exe, has been falsely detected as malware by F-Secure. I want fkernel.exe removed from your list.

. F-Prot or Cyren Online Submission for False-Positives: https://kb.cyren.com/av-support/?/Tickets/Submit/RenderForm/7

Note- With F-Prot or Cyren you also have to specifically clarify that you are reporting a false-positive.

Code: Select all

"I think is falsely classified as malware" Misclassification Reason*

This file, fkernel.exe, has been falsely detected as malware by F-Prot or Cyren. I want fkernel.exe removed from your list.

. Nano Online Submission: https://www.nanoav.pro/index.php?option=com_content&view=article&id=15&Itemid=83&lang=en

Note- Russian based company with English support. Need to specifically clarify that you are reporting a false-positive.

Code: Select all

"False Detection under" Theme*

. Endgame Online Customer Support Form: https://www.endgame.com/company/customer-support

Note- Online customer support form with no attachment, have to send complaint first, then respond to email they send.

Code: Select all

Select- "VirusTotal Feedback" for Type*

. Zoner AntiVirus Online Contact Form: http://www.zonerantivirus.com/kontaktni-formular-zakaznicke-podpory

Note- Czech based company with English support.

Online customer support form with no attachment, have to send complaint first, then respond to email they send.

. Kaspersky E-mail Submission for False-Positives: info@kaspersky.com and newvirus@kaspersky.com

Note- Russian company. Responsiveness to reporting false positives a known issue. Probably best to e-mail both addresses. Suggested format to submit below:

Code: Select all

To: info@kaspersky.com

cc: newvirus@kaspersky.com

Subject: False Positive: file being detected by Kaspersky

Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

Product:

Engine:

Description of issue: This file has been falsely detected as malware

. Panda E-mail Submission for False-Positives: support@pandasecurity.com and falsepositives@pandasecurity.com

Note- Probably best to e-mail both addresses. Suggested format to submit below:

Code: Select all

To: support@pandasecurity.com

cc: falsepositives@pandasecurity.com

Subject: False Positive: file being detected by Panda

Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

Product:

Engine:

Description of issue: This file has been falsely detected as malware

. Emsisoft or EMSI E-mail Submission for False-Positives: fp@emsisoft.com

Note- Should be submitted in the below format

Code: Select all

To: fp@emsisoft.com

Subject: False Positive: file being detected by Emsisoft

Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

Product:

Engine:

Description of issue: This file has been falsely detected as malware

. ESET E-mail Submission for False-Positives: samples@eset.com

Note- Should be submitted in the below format

Code: Select all

To: samples@eset.com

Subject: False Positive: file being detected by ESET

Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

Product:

Engine:

Description of issue: This file has been falsely detected as malware

. McAfee E-mail Submission for False-Positives: virus_research@avertlabs.com

Note- Needs to be submitted in the below format.

Code: Select all

To: virus_research@avertlabs.com

Subject: FALSE: file being detected by McAfee.

Email body text:

Could you please check the attached file, as I think it is a false detection. Here are my product details:

Product: McAfee Security Center 16.0 (Example- put in correct info)

Engine: 3181.0 (Example- put in correct info)

Description of issue: This file has been detected as malware

. ADMINUSLabs E-mail Submission for False-Positives: falsepositive@adminuslabs.net

Note- If you have complaints or comments, can use https://www.adminuslabs.net/Contact.html

E-mail with attachment should be submitted in the below format

Code: Select all

To: falsepositive@adminuslabs.net

Subject: False Positive: file being detected by ADMINUSLabs

Email body text:

Could you please check the attached file, as I think it is a false detection.

Description of issue: This file has been falsely detected as malware

. Acronis scanner E-mail Submission for False-Positives: virustotal-falsepositive@acronis.com

E-mail with attachment should be submitted in the below format

Code: Select all

To: virustotal-falsepositive@acronis.com

Subject: False Positive: file being detected by Acronis scanner

Email body text:

Could you please check the attached file, as I think it is a false detection.

Description of issue: This file has been falsely detected as malware

. Palo Alto or LightCyber E-mail Submission for False-Positives: lightcyber-support@paloaltonetworks.com

Note- LightCyber is a malware detection engine used by Palo Alto. This company is a VirusTotal contributor

E-mail with attachment should be submitted in the below format

Code: Select all

To: lightcyber-support@paloaltonetworks.com

Subject: False Positive: file being detected by Palo Alto product

Email body text:

Could you please check the attached file, as I think it is a false detection.

Description of issue: This file has been falsely detected as malware

. Ikarus E-mail Submission for False-Positives: support@ikarus.at

E-mail with attachment should be submitted in the below format

Code: Select all

To: support@ikarus.at

Subject: False Positive: file being detected by Ikarus product

Email body text:

Could you please check the attached file, as I think it is a false detection.

Description of issue: This file has been falsely detected as malware

. StopBadware Request A Review: https://www.stopbadware.org/clearinghouse/search

Note- This organization is related to Google, VirusTotal, and Mozilla's Firefox. Their opinions or decisions can have a major impact.

. Check Point or Zone Alarm Online trouble ticket or chat: https://www.checkpoint.com/support-services/contact-support/

Note- This is a problematic system, where people are forced to sign-up, then you have to open a ticket or do a chat.

Otherwise, you can call them by phone, but obviously you won't be able to send attachments that way.

. Malwarebytes Online Forum Review: https://forums.malwarebytes.com/forum/122-false-positives/

Note- This is a problematic system, where people are forced to sign-up, before making a report about their product. However, their product is famous.