Antivirus false positives are a plague for small developers

It seems you're using an AdBlocker or JavaScript is disabled!

This sites offers only FREE software and it's supported by a few advertisement boxes (no intrusive popups).

This 10 seconds wait is to let you update your AdBlocker whitelist...

Got it, show me the content...
Please enable JavaScript!

In the last few weeks some antiviruses detected one of my well-known softwares (VirtualMIDISynth) as malicious.

These detections are false positive because:

  1. I wrote that software and I've built its setup, so I know what I've put inside it
  2. I don't like malware/adware/badware too
  3. I don't like to associate my name to something bad

That said, what other arguments I have to support the statements above, other that my own word? Sadly, almost none!

False positives are a plague for small/independent developers like me.

I use VirusTotal to check my products with more than one AV in a shot; that's good because I can publish a link together with the download link to show its safety.
This will also indicate that I'm on the "honest" side.
But what if 1 of the 55 of the AV products featured by VirusTotal (at the time of writing) mark my file as suspicious?
I can say it's a false positive, because of my statements below and - also - because 1/55 is a clear indication of something wrong (or really really new ;)).
But I won't expect people believe me (I wouldn't if I were them).

So should I dedicate part of my (few) spare time to contact AV vendors, send them samples to analyze and wait for them to remove from their databases?
Well, I did it in the past but it was a tedious task with unpredictable results:

  • each AV vendor has its own procedure to send binary samples
  • some of them requires registration
  • some others require to have their AV installed and registered to send the false positive through it

Let me show a real example: VirtualMIDISynth 1.7.1 was released on May 24, 2016.
It was downloaded thousands of times without any issue then, on June 5, it was marked as suspicious by Baidu antivirus.
I've sent a false positive report to them asking the removal and, after a few days, it was removed.
So far so good, but after some days it got back again as false positive, from the same AV and another one.
What now? Should I send them another (the same) sample again and again? What if another AV jumps in?
It will quickly become a nightmare...

Obviously AV vendors don't give any clue to developers on what's wrong with the file marked as suspicious, otherwise bad guys could better hide their (real) malware.
Big software companies have time, AV agreements (and lawyers) to avoid their binaries being marked as false positives: that's good because nobody likes a zealous AV mark a system file as dangerous.
But what about small ones like me? What am I supposed to do?

The answer is, sadly again, simple: nothing.
I prefer to dedicate my (few) spare time to add features to my software instead of fixing AVs databases ;)

Sorry ;)


2018-05-27 UPDATE: well known and respected developer Nirsoft published a similar post years before mine. I was not aware of it but I'm pleased we shared the same thoughts...


PS: if you believe me (and VirusTotal reports) and your AV is the only one reporting one of CoolSoft products as bad, please help me by sending false positive reports to your AV vendor.
PS2: if you know a website I could use to easily send false-positive reports to AV vendors, please let me know in the comments below.



Unfortunately it looks like Invincea is also flagging VMS as a virus, so now the number of AV systems unnecessarily flagging VirtualMIDISynth has grown to two.

Please note that Invincea database is more than 10 days old, maybe that's why it throws a false positive.
VirusTotal should exclude not updated engines...


I suggest to arrange the list of the antivirus programs on the web which frequently make false positive results. It would make motive AV to solve this problem and wpuld inform users of these programs about their unthrustworthyness.

...I wonder if their legal offices would mind my "list".

Being the only one (on 60+ AVs) that marks a file as infected should be sufficient ;)

The vendors can sometimes be slow to respond. Most tiresome!


I'm a Chinese so I know it well.

Baidu Antivirus does not detect viruses. Baidu Antivirus ITSELF is a virus.

I honestly am a little surprised Norton wasn't the first to do this to you. Norton 360 is a quarantine/delete trigger-happy and if you download anything that isnt what you expect to see on sites that normies and nonexperienced users commonly use or from like big companies then it will destroy you. I once downloaded Open Hexagon, and open-source, easily modded remake of Super Hexagon with music by Bossfight. When i first got it everything was fine, but like 1 or 2 weeks later norton suddenly decided to flag over half of everything in the game folder with ws.reputation.1, infact even the soundtrack. I kid you not, it claimed the soundtrack was unsafe. What the actual fk.

Thank god i still had the zip file. I managed to replace the broken assets.

Oh yeah, right. Flagging random files with "reputation" is nortons hobby.

Funny thing is it didnt delete the open hexagon folder untill seconds after i actually opened it. why didnt it detect it before? dunno. oh wait.... did Symantic troll me?

nah.   But it does delete stuff it does detect to seemingly be a real virus, without permission. I checked the settings and i have it set to always ask me on litterally everything. And when it asks you to restart for updates, i hit "Remind me in 24 hours" and it reminds me in 8.

Norton sucks. 

i had a decently long post but then the captcha and js system glitched and it saved everything but my comment

yay the one thing i said that was very agreeable just got destroyed...

anyway.. Norton sucks, deletes everything, always uses "ws.reputation.1" as an excuse. Sometimes it even tries to prove it and fails hilariously, when all the evidence is clearly against the claim that said file is a virus. And it deletes stuff that it thinks actually is a virus, which is good, but it does it without permission. Thanks. I checked the settings and this still happens even though (and these were the default settings, fyi) i have that set to ask me first. always.

dont buy it unless youre that paranoid or just super naive and actually need that.

If you have it, do yourself a favor and get a different one and delete Norton.

Hi guys, have you tried to report a false positive to baidu?

The captha always fails and the email that is there cited as an alternative way to report, returns:

** Address not found **
Your message wasn't delivered to [email protected] because the address couldn't be found or is unable to receive email.

Virustotal reply to me that they receive regular updates, but the AV is so ridiculous that is a DAMAGE for the reputation of VirusTotal. There is no way I can get rid of the 1/67. While IT people oboiusly know that 1/67 = no problem,  that's not true for ordinary users that understand 1=danger. VirusTotal team doesn't seem to understand this problem.

I agree and I've decided to give up with them (Baidu).
Better to spend my spare time writing (seemingly good) software than trying to fight an useless battle ;)

says it has Trojan:Win32/Zpevdo.A, the SHA matches whats in the archive, and I can't find a method to report it as a false positive.

I had the same problem, this website let me report it as a false positive

My PC with Windows 10 also detected this. Using the link supplied (thanks Mickey!) I also reported it to Microsoft and included the link to this page. Let's hope for the best...

Completely I share your opinion. It is excellent idea. It is ready to support you.

False positives plague me too, especially when you use an unknown language and compiler, I got 50% of AV giving false positives.


Hi - I reportedPdfPropertyExtension to Norton today and they may have unblocked it: 

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:


    File name: b050917d040b9c5cd0daa699d81bc24712902c5ba300cacd28466d0ff6d20812

    MD5: 1D51172695CBFF28FDFD5DF510E3E8FE

    SHA256: B050917D040B9C5CD0DAA699D81BC24712902C5BA300CACD28466D0FF6D20812

    Note: Whitelisting may take up to 24 hours to take effect via Live Update

Thank you very much for your efforts.

I wonder if this whole story will repeat again the day I'll release next version... ;)

Have been trying various workarounds to install the file on Windows. The latest was to dowload it on my iPhone using an app, and send it by email. Guess what, Gmail also treats it as a virus, and essentially removes the attachment :(

I just got found out about your software and plan to install it since the SHAsums check out and it clears my AV tests. Completely understand what you say about small devs and the problems with false positives.

The hashes are much appreciated and are a great way to verify integrity, but one additional step you might consider is to include PGP signatures for each downloadable file and maybe post a link to your public key on the download page. VeraCrypt's developers do this, and I think 7-zip's does too. (And I think the 7-zip installer even springs a UAC unknown publisher warning, but obviously we all still know it, love it, and trust it!)

Code signing is something I'm working on.

Well, I really don't like to pay for something (code signing certificate) I'd use only to create free software.
And I also don't like to "be forced" to ask money (by incrementing ads, adding banners to my softwares, ...) to compensate the increased build costs.

Actually I'm tring to find a way to overcome kernel-mode signing requirements for VirtualMIDISynth, which seems to be required to install it in the upcoming Win10-2004 version.
If so, it could be the VMS death because a kernel-mode certificate is something really expensive I won't pay for.

PGP is an option, but I'm not an expert about it (feel free to post some links).
I wonder how many of my users could get benefit from it (you're one of the few that uses SHAsums ;)).

Wow, there's a lot of hoops to jump over, and now this. What's the cost?

Last time I've checked a VeriSign certificate (now Symantec) was about 250$/year!
But it was "only" a Code Signing certificate, the ones that removes the warning shown when you install something.
250$ to make my name appear instead of Unknown publisher doesn't worth the cost.

Windows Driver signature is an "extension" to this: it also requires me some kind of registration and approval from MS as a developer, then I need to send them my binaries for "testing" and signing 8for each new version I'll publish)... no thanks.

I'm coding for fun and pleasure; if and when well'get to that point, VMS development will stop and I'll move to something else...

I completely agree with you both that the hassle and cost (which I don't know) of playing Microsoft's game isn't worth it in this case.

As far as PGP, it can be zero cost. For example, GnuPG is a free implementation of OpenPGP. Since we're talking about Windows here, there's also Kleopatra, which is a nice, tidy GUI for GnuPG. Once you've got your key pair set up, you'd have to make your publicly available, and it appears to be easy enough to submit to the various key servers (

But like Coolsoft said, ultimately it's hard to say how much it will really matter. I'd like to think I'm not the only person who verifies hashes; I'm sure I'm in the minority, but there must be others out there. For the security-minded, it's great to have these available for downloads. Hashes cover integrity, and the digital signature would cover identity. But at that point, I guess a cost-benefit analysis is in order. Like I said, the Microsoft approach does not seem worth it, but I originally proposed PGP since there are free options, and it shouldn't be too much effort to get up and running. And I also made the recommendation while thinking of "options that consume fewer resources than trying to convince the various AV vendors that you're legit."

I also note that I've never published keys as a software developer, so if there's some aspect I'm missing, anyone please jump in or correct me!

I've used this before (this software is a lifesaver btw) and Windows defender was fine with it. Suddenly, less than a year later, it says this is a virus. This makes me extremely sad.

Add new comment