Antivirus false positives are a plague for small developers

Please let our ADS show!

This sites offers only FREE software and it's supported by a few advertisement boxes (no intrusive popups).
Please:

  • disable your AdBlocker by adding CoolSoft website to whitelist
  • give the proper cookie consent
  • enable JavaScript for this website

This seconds wait is to let you update your browser configuration...

Ok, I've done the required changes... now show me your content!
!!! Please enable JavaScript !!!

In the last few weeks some antiviruses detected one of my well-known softwares (VirtualMIDISynth) as malicious.

These detections are false positive because:

  1. I wrote that software and I've built its setup, so I know what I've put inside it
  2. I don't like malware/adware/badware too
  3. I don't like to associate my name to something bad

That said, what other arguments I have to support the statements above, other that my own word? Sadly, almost none!

False positives are a plague for small/independent developers like me.

I use VirusTotal to check my products with more than one AV in a shot; that's good because I can publish a link together with the download link to show its safety.
This will also indicate that I'm on the "honest" side.
But what if 1 of the 55 of the AV products featured by VirusTotal (at the time of writing) mark my file as suspicious?
I can say it's a false positive, because of my statements below and - also - because 1/55 is a clear indication of something wrong (or really really new ;)).
But I won't expect people believe me (I wouldn't if I were them).

So should I dedicate part of my (few) spare time to contact AV vendors, send them samples to analyze and wait for them to remove from their databases?
Well, I did it in the past but it was a tedious task with unpredictable results:

  • each AV vendor has its own procedure to send binary samples
  • some of them requires registration
  • some others require to have their AV installed and registered to send the false positive through it

Let me show a real example: VirtualMIDISynth 1.7.1 was released on May 24, 2016.
It was downloaded thousands of times without any issue then, on June 5, it was marked as suspicious by Baidu antivirus.
I've sent a false positive report to them asking the removal and, after a few days, it was removed.
So far so good, but after some days it got back again as false positive, from the same AV and another one.
What now? Should I send them another (the same) sample again and again? What if another AV jumps in?
It will quickly become a nightmare...

Obviously AV vendors don't give any clue to developers on what's wrong with the file marked as suspicious, otherwise bad guys could better hide their (real) malware.
Big software companies have time, AV agreements (and lawyers) to avoid their binaries being marked as false positives: that's good because nobody likes a zealous AV mark a system file as dangerous.
But what about small ones like me? What am I supposed to do?

The answer is, sadly again, simple: nothing.
I prefer to dedicate my (few) spare time to add features to my software instead of fixing AVs databases ;)

Sorry ;)

 

2018-05-27 UPDATE: well known and respected developer Nirsoft published a similar post years before mine. I was not aware of it but I'm pleased we shared the same thoughts...

 

PS: if you believe me (and VirusTotal reports) and your AV is the only one reporting one of CoolSoft products as bad, please help me by sending false positive reports to your AV vendor.
PS2: if you know a website I could use to easily send false-positive reports to AV vendors, please let me know in the comments below.

Category: 

Commenti

Unfortunately it looks like Invincea is also flagging VMS as a virus, so now the number of AV systems unnecessarily flagging VirtualMIDISynth has grown to two.

https://www.virustotal.com/en/file/fa2d535cff135b6ab419ac0d00998fc9541e6...

Please note that Invincea database is more than 10 days old, maybe that's why it throws a false positive.
VirusTotal should exclude not updated engines...

postimage

I suggest to arrange the list of the antivirus programs on the web which frequently make false positive results. It would make motive AV to solve this problem and wpuld inform users of these programs about their unthrustworthyness.

...I wonder if their legal offices would mind my "list".

Being the only one (on 60+ AVs) that marks a file as infected should be sufficient ;)

The vendors can sometimes be slow to respond. Most tiresome!

 

I'm a Chinese so I know it well.

Baidu Antivirus does not detect viruses. Baidu Antivirus ITSELF is a virus.

I honestly am a little surprised Norton wasn't the first to do this to you. Norton 360 is a quarantine/delete trigger-happy and if you download anything that isnt what you expect to see on sites that normies and nonexperienced users commonly use or from like big companies then it will destroy you. I once downloaded Open Hexagon, and open-source, easily modded remake of Super Hexagon with music by Bossfight. When i first got it everything was fine, but like 1 or 2 weeks later norton suddenly decided to flag over half of everything in the game folder with ws.reputation.1, infact even the soundtrack. I kid you not, it claimed the soundtrack was unsafe. What the actual fk.

Thank god i still had the zip file. I managed to replace the broken assets.

Oh yeah, right. Flagging random files with "reputation" is nortons hobby.

Funny thing is it didnt delete the open hexagon folder untill seconds after i actually opened it. why didnt it detect it before? dunno. oh wait.... did Symantic troll me?

nah.   But it does delete stuff it does detect to seemingly be a real virus, without permission. I checked the settings and i have it set to always ask me on litterally everything. And when it asks you to restart for updates, i hit "Remind me in 24 hours" and it reminds me in 8.

Norton sucks. 

i had a decently long post but then the captcha and js system glitched and it saved everything but my comment

yay the one thing i said that was very agreeable just got destroyed...

anyway.. Norton sucks, deletes everything, always uses "ws.reputation.1" as an excuse. Sometimes it even tries to prove it and fails hilariously, when all the evidence is clearly against the claim that said file is a virus. And it deletes stuff that it thinks actually is a virus, which is good, but it does it without permission. Thanks. I checked the settings and this still happens even though (and these were the default settings, fyi) i have that set to ask me first. always.

dont buy it unless youre that paranoid or just super naive and actually need that.

If you have it, do yourself a favor and get a different one and delete Norton.

Hi guys, have you tried to report a false positive to baidu?
http://antivirus.baidu.com/en/submit-file.php

The captha always fails and the email that is there cited as an alternative way to report, returns:

** Address not found **
Your message wasn't delivered to [email protected] because the address couldn't be found or is unable to receive email.

Virustotal reply to me that they receive regular updates, but the AV is so ridiculous that is a DAMAGE for the reputation of VirusTotal. There is no way I can get rid of the 1/67. While IT people oboiusly know that 1/67 = no problem,  that's not true for ordinary users that understand 1=danger. VirusTotal team doesn't seem to understand this problem.

I agree and I've decided to give up with them (Baidu).
Better to spend my spare time writing (seemingly good) software than trying to fight an useless battle ;)

says it has Trojan:Win32/Zpevdo.A, the SHA matches whats in the archive, and I can't find a method to report it as a false positive.

I had the same problem, this website let me report it as a false positive

https://www.microsoft.com/en-us/wdsi/filesubmission

My PC with Windows 10 also detected this. Using the link supplied (thanks Mickey!) I also reported it to Microsoft and included the link to this page. Let's hope for the best...

Completely I share your opinion. It is excellent idea. It is ready to support you.

False positives plague me too, especially when you use an unknown language and compiler, I got 50% of AV giving false positives.

http://chat-webcam-samuro.com/chat.en/antivirus.html

 

Hi - I reportedPdfPropertyExtension to Norton today and they may have unblocked it: 

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

 

    File name: b050917d040b9c5cd0daa699d81bc24712902c5ba300cacd28466d0ff6d20812

    MD5: 1D51172695CBFF28FDFD5DF510E3E8FE

    SHA256: B050917D040B9C5CD0DAA699D81BC24712902C5BA300CACD28466D0FF6D20812

    Note: Whitelisting may take up to 24 hours to take effect via Live Update

Thank you very much for your efforts.

I wonder if this whole story will repeat again the day I'll release next version... ;)

Have been trying various workarounds to install the file on Windows. The latest was to dowload it on my iPhone using an app, and send it by email. Guess what, Gmail also treats it as a virus, and essentially removes the attachment :(

I just got found out about your software and plan to install it since the SHAsums check out and it clears my AV tests. Completely understand what you say about small devs and the problems with false positives.

The hashes are much appreciated and are a great way to verify integrity, but one additional step you might consider is to include PGP signatures for each downloadable file and maybe post a link to your public key on the download page. VeraCrypt's developers do this, and I think 7-zip's does too. (And I think the 7-zip installer even springs a UAC unknown publisher warning, but obviously we all still know it, love it, and trust it!)

Code signing is something I'm working on.

Well, I really don't like to pay for something (code signing certificate) I'd use only to create free software.
And I also don't like to "be forced" to ask money (by incrementing ads, adding banners to my softwares, ...) to compensate the increased build costs.

Actually I'm tring to find a way to overcome kernel-mode signing requirements for VirtualMIDISynth, which seems to be required to install it in the upcoming Win10-2004 version.
If so, it could be the VMS death because a kernel-mode certificate is something really expensive I won't pay for.

PGP is an option, but I'm not an expert about it (feel free to post some links).
I wonder how many of my users could get benefit from it (you're one of the few that uses SHAsums ;)).

Wow, there's a lot of hoops to jump over, and now this. What's the cost?

Last time I've checked a VeriSign certificate (now Symantec) was about 250$/year!
But it was "only" a Code Signing certificate, the ones that removes the warning shown when you install something.
250$ to make my name appear instead of Unknown publisher doesn't worth the cost.

Windows Driver signature is an "extension" to this: it also requires me some kind of registration and approval from MS as a developer, then I need to send them my binaries for "testing" and signing 8for each new version I'll publish)... no thanks.

I'm coding for fun and pleasure; if and when well'get to that point, VMS development will stop and I'll move to something else...

Maybe you already knew this, but the fully free option that I am proposing:

1) Generate a public/private key pair

2) Upload your public key to the key servers

3) Generate a fingerprint for your public key and publish that in one or more places

Step 3 is a substitute for paying a CA for any kind of certificate. Of course, this is not as "authentic" as filling out web forms and exchanging emails (and money) with a CA to verify your identity. It's just a simple "better than nothing" option.

You might think this is all a waste of time, and that's completely fine with me. I'm not trying to debate or twist anyone's arm. I simply saw that you had a frustration with the false positives, and tried to think of some (relatively) simple step to add maybe a *little bit* more trust to users who might be concerned. I'm really just tossing this up for consideration but not trying to get anyone to spend needless money or time.

I think that signing a binary with a self-signed certificate could increase its probability to be detected as "suspicious" by an AV...

I completely agree with you both that the hassle and cost (which I don't know) of playing Microsoft's game isn't worth it in this case.

As far as PGP, it can be zero cost. For example, GnuPG is a free implementation of OpenPGP. Since we're talking about Windows here, there's also Kleopatra, which is a nice, tidy GUI for GnuPG. Once you've got your key pair set up, you'd have to make your publicly available, and it appears to be easy enough to submit to the various key servers (https://security.stackexchange.com/questions/406/how-should-i-distribute...).

But like Coolsoft said, ultimately it's hard to say how much it will really matter. I'd like to think I'm not the only person who verifies hashes; I'm sure I'm in the minority, but there must be others out there. For the security-minded, it's great to have these available for downloads. Hashes cover integrity, and the digital signature would cover identity. But at that point, I guess a cost-benefit analysis is in order. Like I said, the Microsoft approach does not seem worth it, but I originally proposed PGP since there are free options, and it shouldn't be too much effort to get up and running. And I also made the recommendation while thinking of "options that consume fewer resources than trying to convince the various AV vendors that you're legit."

I also note that I've never published keys as a software developer, so if there's some aspect I'm missing, anyone please jump in or correct me!

I've used this before (this software is a lifesaver btw) and Windows defender was fine with it. Suddenly, less than a year later, it says this is a virus. This makes me extremely sad.

Dunno if you have tried this or not, but they do have a section to submit a file as small developers.
Could be worth a shot to prevent Microsoft Defender from flagging this application.

https://www.microsoft.com/en-us/wdsi/filesubmission

I do appreciate your hard work on this app, and have used it for years and never had any issues with it until I saw Windows Defender pop up about a threat.
If I can be of any assistance in any way let me know.
I work in the IT sector and have 20+ years of programming experience under my belt.

James

Thanks for your offer ;)
I've just sent MIDIMapper 2.0.0 setup to that link and, wonder what? It was marked as clean... It always happened.

So I'd expect that in a day or two Windows Defender will stop marking it as suspicious; but repeating this task over and over for each new release became unmanageable.

> I work in the IT sector and have 20+ years of programming experience under my belt.

Do you, by any chance, know a way to get a code signing certificate that doesn't cost hundreds bucks?
Since my software is free, I won't spend such a cost to have a third part confirming that the software is mine (and I also don't know if it'll help with AV vendors at all).

> Thanks for your offer ;)
> I've just sent MIDIMapper 2.0.0 setup to that link and, wonder what? It was marked as clean... It always happened.

> So I'd expect that in a day or two Windows Defender will stop marking it as suspicious; but repeating this task over and over for each new release became unmanageable.

Looks like Defender is not flagging it now, so that worked.  Maybe you could incorporate submitting your install executable to that URL to as part of your build process.  You might be able to automate submission of that as part of your release build process either through your IDE or through something like github, etc.

> Do you, by any chance, know a way to get a code signing certificate that doesn't cost hundreds bucks?
> Since my software is free, I won't spend such a cost to have a third part confirming that the software is mine (and I also don't know if it'll help with AV vendors at all).

Cheapest I found just doing some precursory looking is about $69-70.x a year:

https://comodosslstore.com/resources/whats-the-cheapest-code-signing-certificate/

https://codesigningstore.com/

 

Aggiungi un commento