Antivirus false positives

Here you can post offtopic messages.
Post Reply
User avatar
Site Admin
Posts: 783
Joined: Mon Dec 19, 2011 1:23 am

Antivirus false positives

Post by gpb »

Occasionally some antivirus programs detect one of our programs as malicious.
Unfortunately, most antivirus companies go too far with virus/trojan protection and in many cases classify completely legitimate software as a virus or another kind of malware/riskware

In the case of our programs these detections are false positives because:
  • I wrote the software myself and created the installation file, so I know what I put in it
  • All executables are digitally signed with a valid certificate
  • I hate malware/adware and all that kind of rubbish
  • I don't like seeing my name associated with that kind of software
False positives are a plague for small developers

From time to time I receive reports from users that one of the programs is detected as malware/trojan or other kind of riskware by one of the many antivirus programs
I can tell it's a false positive, due to my statements made before but I won't expect people to believe me

So should I spend some of my time contacting AV vendors, sending them samples to analyze, and waiting for them to be removed from their databases?
Well, I've done this in the past but it was a tedious task with unpredictable results:
  • There are dozens of Antivirus companies out there, each one has its own procedure for sending binary samples
  • False alerts appears and disappears all the time, one AV version reports the malware another one nothing
  • Reporting false positives is usually difficult, If you look into the Web sites of some Antivirus companies, you’ll easily find a large “Buy Now” button, but you probably won’t find any “Report a False Positive” link. They usually hide the option to report about false alert very deep in their Web site, and some of them gives “False Positive” support only for users that purchased their product.
  • Even when I find the method to report about a false positive, most of the companies don’t answer the requests at all or simply send an automatic message, saying that the sample that I sent is infected. In some cases, the Antivirus company fix the false alert problem in their next update, but without admitting that they had a false positive, and without sending any apology to me, as a developer.
  • False Positives usually come back: Even when Antivirus company finally fix a false positive, it’s just a matter of time, until the false positive returns again
Of course, antivirus vendors don't give developers any clues about what's wrong with the file marked as suspicious, otherwise bad guys could better hide their (real) malware.
Big software companies have time, employees and AV agreements to prevent their binaries from being marked as false positives
But what about little ones like me? What should I do?

The answer is, unfortunately, simple: nothing.
I prefer to spend my (little) free time adding features to my software instead of fixing AV databases

If you find one of our program flagged as malware in addition to contacting us please don’t hesitate to call your Antivirus company and require them to stop the false alerts. You pay for your Antivirus product, and you deserved to get a reliable product that detect only real malware
Gianpaolo Bottin
Post Reply