False positives are a plague for small developers

In the last few weeks some antiviruses detected one of my well-known softwares (VirtualMIDISynth) as malicious.

These detections are false positive because:

  1. I wrote that software and I've built its setup, so I know what I've put inside it
  2. I don't like malware/adware/badware too
  3. I don't like to associate my name to something bad

That said, what other arguments I have to support the statements above, other that my own word? Sadly, almost none!

False positives are a plague for small/independent developers like me.

I use VirusTotal to check my products with more than one AV in a shot; that's good because I can publish a link together with the download link to show its safety.
This will also indicate that I'm on the "honest" side.
But what if 1 of the 55 of the AV products featured by VirusTotal (at the time of writing) mark my file as suspicious?
I can say it's a false positive, because of my statements below and - also - because 1/55 is a clear indication of something wrong (or really really new ;)).
But I won't expect people believe me (I wouldn't if I were them).

So should I dedicate part of my (few) spare time to contact AV vendors, send them samples to analyze and wait for them to remove from their databases?
Well, I did it in the past but it was a tedious task with unpredictable results:

  • each AV vendor has its own procedure to send binary samples
  • some of them requires registration
  • some others require to have their AV installed and registered to send the false positive through it

Let me show a real example: VirtualMIDISynth 1.7.1 was released on May 24, 2016.
It was downloaded thousands of times without any issue then, on June 5, it was marked as suspicious by Baidu antivirus.
I've sent a false positive report to them asking the removal and, after a few days, it was removed.
So far so good, but after some days it got back again as false positive, from the same AV and another one.
What now? Should I send them another (the same) sample again and again? What if another AV jumps in?
It will quickly become a nightmare...

Obviously AV vendors don't give any clue to developers on what's wrong with the file marked as suspicious, otherwise bad guys could better hide their (real) malware.
Big software companies have time, AV agreements (and lawyers) to avoid their binaries being marked as false positives: that's good because nobody likes a zealous AV mark a system file as dangerous.
But what about small ones like me? What am I supposed to do?

The answer is, sadly again, simple: nothing.
I prefer to dedicate my (few) spare time to add features to my software instead of fixing AVs databases ;)

Sorry ;)

 

PS: if you believe me (and VirusTotal reports) and your AV is the only one reporting one of CoolSoft products as bad, please help me by sending false positive reports to your AV vendor.
PS2: if you know a website I could use to easily send false-positive reports to AV vendors, please let me know in the comments below.

Category: 

Comments

Unfortunately it looks like Invincea is also flagging VMS as a virus, so now the number of AV systems unnecessarily flagging VirtualMIDISynth has grown to two.

https://www.virustotal.com/en/file/fa2d535cff135b6ab419ac0d00998fc9541e6...

Please note that Invincea database is more than 10 days old, maybe that's why it throws a false positive.
VirusTotal should exclude not updated engines...

postimage

I suggest to arrange the list of the antivirus programs on the web which frequently make false positive results. It would make motive AV to solve this problem and wpuld inform users of these programs about their unthrustworthyness.

...I wonder if their legal offices would mind my "list".

Being the only one (on 60+ AVs) that marks a file as infected should be sufficient ;)

Add new comment

warning

Warning, JavaScript is disabled!

JavaScript is not available, maybe because you disabled it globally into your browser settings or you are using an addon like NoScript.

We do not have any dangerous JavaScript running here.
Please enable JavaScript; if you're using NoScript this image will help you adding CoolSoft to your whitelist.

Thanks for your comprehension and enjoy CoolSoft.