False positives are a plague for small developers

In the last few weeks some antiviruses detected one of my well-known softwares (VirtualMIDISynth) as malicious.

These detections are false positive because:

  1. I wrote that software and I've built its setup, so I know what I've put inside it
  2. I don't like malware/adware/badware too
  3. I don't like to associate my name to something bad

That said, what other arguments I have to support the statements above, other that my own word? Sadly, almost none!

False positives are a plague for small/independent developers like me.

I use VirusTotal to check my products with more than one AV in a shot; that's good because I can publish a link together with the download link to show its safety.
This will also indicate that I'm on the "honest" side.
But what if 1 of the 55 of the AV products featured by VirusTotal (at the time of writing) mark my file as suspicious?
I can say it's a false positive, because of my statements below and - also - because 1/55 is a clear indication of something wrong (or really really new ;)).
But I won't expect people believe me (I wouldn't if I were them).

So should I dedicate part of my (few) spare time to contact AV vendors, send them samples to analyze and wait for them to remove from their databases?
Well, I did it in the past but it was a tedious task with unpredictable results:

  • each AV vendor has its own procedure to send binary samples
  • some of them requires registration
  • some others require to have their AV installed and registered to send the false positive through it

Let me show a real example: VirtualMIDISynth 1.7.1 was released on May 24, 2016.
It was downloaded thousands of times without any issue then, on June 5, it was marked as suspicious by Baidu antivirus.
I've sent a false positive report to them asking the removal and, after a few days, it was removed.
So far so good, but after some days it got back again as false positive, from the same AV and another one.
What now? Should I send them another (the same) sample again and again? What if another AV jumps in?
It will quickly become a nightmare...

Obviously AV vendors don't give any clue to developers on what's wrong with the file marked as suspicious, otherwise bad guys could better hide their (real) malware.
Big software companies have time, AV agreements (and lawyers) to avoid their binaries being marked as false positives: that's good because nobody likes a zealous AV mark a system file as dangerous.
But what about small ones like me? What am I supposed to do?

The answer is, sadly again, simple: nothing.
I prefer to dedicate my (few) spare time to add features to my software instead of fixing AVs databases ;)

Sorry ;)

 

PS: if you believe me (and VirusTotal reports) and your AV is the only one reporting one of CoolSoft products as bad, please help me by sending false positive reports to your AV vendor.
PS2: if you know a website I could use to easily send false-positive reports to AV vendors, please let me know in the comments below.

Category: 

Comments

Unfortunately it looks like Invincea is also flagging VMS as a virus, so now the number of AV systems unnecessarily flagging VirtualMIDISynth has grown to two.

https://www.virustotal.com/en/file/fa2d535cff135b6ab419ac0d00998fc9541e6...

Please note that Invincea database is more than 10 days old, maybe that's why it throws a false positive.
VirusTotal should exclude not updated engines...

postimage

I suggest to arrange the list of the antivirus programs on the web which frequently make false positive results. It would make motive AV to solve this problem and wpuld inform users of these programs about their unthrustworthyness.

...I wonder if their legal offices would mind my "list".

Being the only one (on 60+ AVs) that marks a file as infected should be sufficient ;)

The vendors can sometimes be slow to respond. Most tiresome!

 

I'm a Chinese so I know it well.

Baidu Antivirus does not detect viruses. Baidu Antivirus ITSELF is a virus.

I honestly am a little surprised Norton wasn't the first to do this to you. Norton 360 is a quarantine/delete trigger-happy and if you download anything that isnt what you expect to see on sites that normies and nonexperienced users commonly use or from like big companies then it will destroy you. I once downloaded Open Hexagon, and open-source, easily modded remake of Super Hexagon with music by Bossfight. When i first got it everything was fine, but like 1 or 2 weeks later norton suddenly decided to flag over half of everything in the game folder with ws.reputation.1, infact even the soundtrack. I kid you not, it claimed the soundtrack was unsafe. What the actual fk.

Thank god i still had the zip file. I managed to replace the broken assets.

Oh yeah, right. Flagging random files with "reputation" is nortons hobby.

Funny thing is it didnt delete the open hexagon folder untill seconds after i actually opened it. why didnt it detect it before? dunno. oh wait.... did Symantic troll me?

nah.   But it does delete stuff it does detect to seemingly be a real virus, without permission. I checked the settings and i have it set to always ask me on litterally everything. And when it asks you to restart for updates, i hit "Remind me in 24 hours" and it reminds me in 8.

Norton sucks. 

i had a decently long post but then the captcha and js system glitched and it saved everything but my comment

yay the one thing i said that was very agreeable just got destroyed...

anyway.. Norton sucks, deletes everything, always uses "ws.reputation.1" as an excuse. Sometimes it even tries to prove it and fails hilariously, when all the evidence is clearly against the claim that said file is a virus. And it deletes stuff that it thinks actually is a virus, which is good, but it does it without permission. Thanks. I checked the settings and this still happens even though (and these were the default settings, fyi) i have that set to ask me first. always.

dont buy it unless youre that paranoid or just super naive and actually need that.

If you have it, do yourself a favor and get a different one and delete Norton.

Add new comment

warning

Warning, JavaScript is disabled!

JavaScript is not available, maybe because you disabled it globally into your browser settings or you are using an addon like NoScript.

We do not have any dangerous JavaScript running here.
Please enable JavaScript; if you're using NoScript this image will help you adding CoolSoft to your whitelist.

Thanks for your comprehension and enjoy CoolSoft.