You are here

How to Report a False Positive

Chris Morgan's picture
Submitted by Chris Morgan on December 21, 2009 - 3:17am

If an antivirus program doesn't have a link in this list, also make sure you read the comments below; there are some helpful things there. I need to update the list.

Today someone came in to our live chat support with a false positive for Blender in McAfee. I couldn't find out how to report it. So when I finally found it, I decided to try investigating more vendors and listing links for them so that they can be put into the support pages.

I went through the list of checked software at VirusTotal. Ones I couldn't track down are struck out (if you can find a source, please add a comment and I'll add it). I haven't finished going through yet.

  • AhnLab V3
  • Antiy Labs Antiy-AVL
  • Aladdin eSafe
  • ALWIL Avast! (applies to false positives as well)
  • Authentium Command Antivirus
  • AVG
  • Avira AntiVir
  • Quick Heal
  • ClamAV
  • Comodo
  • CA Inc. Vet
  • DrWeb
  • a-squared (fp@emsisoft.com)
  • Eset Software ESET NOD32
  • Fortinet
  • FRISK Software F-Prot
  • F-Secure
  • G DATA Software GData
  • Hacksoft The Hacker
  • Hauri ViRobot
  • Ikarus Software Ikarus
  • INCA Internet nProtect
  • K7 Computing K7AntiVirus
  • Kaspersky
  • McAfee
  • Microsoft Malware Protection
  • Norman Antivirus
  • Panda Security
  • PCTools
  • Prevx Prevx1
  • Rising Antivirus Rising
  • Secure Computing SecureWeb
  • BitDefender
  • Sophos SAV
  • Sunbelt Software Antivirus
  • Symantec Norton Antivirus
  • VirusBlokAda VBA32
  • TrendMicro
  • VirusBuster

Comments

NathanJ79's picture

This is good stuff. I should link to this in the FAQ because false positives are too commonly posted.

Is there a site that allows you to upload a file to see if it is, in fact, a false positive? That would be very useful among all these links.

I've been lucky so far. I've only used AVG Free since using portable apps and have never gotten a false positive.

Chris Morgan's picture

There are two main online virus checkers with multiple scanners: VirusTotal and Jotti.

See https://portableapps.com/support#false_positive for these links and a few more details. I'm just hoping that we'll be able to polish this list up a bit and then have it as another page - portableapps.com/support/false_positive - which will be the old info plus the new links to each vendor's false-positive-reporting location.

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

NathanJ79's picture

Thanks. What I'll do is, link to one or both of those online virus scanners, emphasize that the official apps are thoroughly checked (probably shouldn't speak for the others), and then link here for how to report false positives.

Also, didn't you say in the topic for your launcher that, going forward, your Swiss Army Knife launch-all would be used for many upcoming releases? If so, would it be a good idea to point folks to it for making their own portable apps (as opposed to just linking the field guide)?

OliverK's picture

Also, didn't you say in the topic for your launcher that, going forward, your Swiss Army Knife launch-all would be used for many upcoming releases? If so, would it be a good idea to point folks to it for making their own portable apps (as opposed to just linking the field guide)?

For stuff he does, yes. When its official, sure. Now? I don't think so. I'm sure someone will correct me if I'm wrong.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

Found an email address near the foot of the "Contact Us" page:

http://www.antiy.net/contacts/

False Positive
Email: submit@antiy.com

Submit a Sample
Submit suspicious file here:
http://cloud.antiyfx.com:8081/index_en.html

However, their email is apparently hosted by or forwards to gmail, which rejects attachments with the ZIP extension. I had intentionally encrypted the file with a password and provided the password "Harmless" in the body. Now I have resubmitted it with the extension z_p with instructions to change it back to zip.

Tim Clark's picture

Chris,

Please note that this:
http://www.mcafee.com/us/threat_center/dispute/dispute_form.asp

is not how a user reports what they believe to be a false positive to McAfee.

That is the "McAfee Detection Dispute Submission Form" and is intended for software developers to dispute McAfee's belief that their software is a virus/malware.

The actual method for McAfee users is to use "WebImmune"
https://www.webimmune.net/default.asp
[Which unfortunately requires registration]

or by e-mail submission to:
virus_research@avertlabs.com
with the file zipped and password protected [the password needs to be the word infected] and the word FALSE should be in the subject line.

Thanks for putting together this list,
Tim

Things have got to get better, they can't get worse, or can they?

Chris Morgan's picture

I had searched around quite a bit and that dispute form was the best I had found - and a (non-Adobe-employed) user had used it to report a false positive in Adobe Reader in their forum, so I figured unless I could find anything better, I'd leave it in that.

I've updated the link to http://community.mcafee.com/docs/DOC-1041 which I have since found (the keyword "webimmune" helped, thanks for that :-)).

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

spg SCOTT's picture

You can email them also.
This is the general response I give in the avast! forums, when discussing a false positive, don't know how you want to implement it into this list...

I'll post a link to one, save wasting space...
http://forum.avast.com/index.php?topic=48353.msg408223#msg408223

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

spg SCOTT's picture

I was looking for something like that...

The 'Email to ALWIL Software' button produces another window that gives the option of 'Potential Malware' or 'False positive'

This may change somewhat, when version 5 arrives, so I'll keep an eye out for an updated version.

Ha, just realised, the one I linked to was an 'Undetected Malware' one... Biggrin

(and obviously, 7zip portable is the one for the password protected archive ;))

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

spg SCOTT's picture

ESET

Fortinet

Frisk Software F-Prot
This one seems to be only undetected viruses, but you could put false positive in the comment...Couldn't find another one for that...

F-Secure

Not sure about GDATA, since they use avast's engine and another and I can't find it on the site...

Hauri ViRobot

INCA Internet nProtect

Please compress the files into a ZIP file password protected as “infected” and send us the files to isarc(@)inca(.)co(.)kr

Further information such as detailed descriptions, screenshots, and your system and browser specifications are very helpful.

Norman

Panda Security
Could only find an email address: Virus(@)pandasecurity(.)com

Bitdefender --> Could only find a forum...

Sophos

Sunbelt

Symantec
Not sure if this can be applied to false positives as well...

And after all of that, I find this: http://www.virusbtn.com/resources/cybercrime/type
It has some in there I couldn't find, I think...

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Chris Morgan's picture

Thanks for filling that out.

Grr... I looked through the Virus Bulletin site at the start as I thought it would probably have something like that... I didn't find that page though Sad

Wonder what I should do now. Possibly tell them that their Hauri (ViRobot) and VirusBuster links are broken...

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

computerfreaker's picture

Hey Chris, are you still interested in doing this? I recently started compiling my own list of FP reporting methods, and I found a couple that aren't on your list. I'd be happy to share if you're interested.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

computerfreaker's picture

A wiki page would be nice to have; especially since a lot of AV companies seem to hide their FP-reporting pages (I'm looking at you, Authentium), having a public resource would probably save many of us a lot of time & hair. Wink

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

I know it's something that's been mentioned a few times and in general I think it's probably overkill for this particular website. However there are one of two resources here where it just makes sense. Case in point: This thread. Smile

John T. Haller's picture

Write one comment and include them all.

Sometimes, the impossible can become possible, if you're awesome!