False positive
Recently, I released a new version of an open-source application that I develop in my spare time. It didn’t have any major changes. It was built on the same computer and compiled with the same software as usual. Yet, immediately after the release, reports started coming in. People were unable to download it. Some of them received a malware warning, while others thought that something was wrong with my server.
I assumed the worst and checked if the file on my server had been modified. It wasn’t. I tried installing it in a sandbox. Nothing suspicious. After a sigh of relief, I contacted Avast, Avira, Baidu, ESET, Kaspersky, McAfee, Microsoft, Qihoo, Rising and Symantec, submitting more than a dozen false-positive reports for the application executable, the installer and the download link.
After three days, most users could once again download and use the application without any issues. That’s great! However, the damage was done. People who had not been familiar with the application were not impressed.
The weird thing is that most of these antivirus software think that the application executable (Taiga.exe
) is safe, while labeling the installer (TaigaSetup.exe
) as a trojan. Why, and why now? Why haven’t they sounded the alarm for my previous releases, which were built with the exact same NSIS version and script?
I don’t know the answer to these questions. But, for future reference, here’s my individual experience with each company that I contacted in this endeavor:
Avast
Avast is just weird. I’m not sure if this is related to a setting, but some users claimed that my application was being blocked without any warning. This is why they assumed that my server was not working.
I sent Avast two reports, but haven’t received any replies. Yet it seems they have updated their definitions…
Avira
Avira has a nice interface for false-positive reports. While they weren’t the fastest to respond, their system is very straightforward and being able to track submissions can be useful.
About 25 hours after my report, they accepted that the “TR/Spy.ZBot.968021” classification of my software was incorrect:
File ID Filename Size (Byte) Result 28582352 TaigaSetup.exe 945.33 KB FALSE POSITIVE The file ‘TaigaSetup.exe’ has been determined to be ‘FALSE POSITIVE’. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.
Baidu
After reading the following automated response, I was hopeful:
Dear Sir or Madam,You reported a suspicious sample file to us on 2015-08-11 05:39:31. Thank you for your support. We will finish analyzing the sample within 24 hours. After 24 hours, please rescan the uploaded file. The final scan results will take precedence.
Sincerely yours,
Baidu Antivirus Team
I’m not sure how long it took, it didn’t take more than two days, but they have indeed cleared up their mistake. What bothered me, though, was their followup:
Hi,thanks for your kindly feedback.
For having a smoother communication,we registered a Baidu Antivirus Users' Forum account for you.Your password is:\*\*\*\*\*\*
You can change your password by clicking the link below
http://ours.baidu.com/forum/usercp.php?action=password==================
Welcome to Baidu Antivirus’s Forum to join other users worldwide.We are ready to help you here and would like to afford answers to your puzzles.
I can certainly forgive their less-than-perfect English, but automatically registering a forum account without my consent is not cool.
ESET
ESET’s responses were blazing fast and to the point. It took 29 minutes and 15 minutes respectively to get the results of my two separate reports. Their definitions were updated fairly soon.
Thank you for your submission.
It is a false positive of our scanner and this issue will be fixed in our next signature update.Regards,
ESET Malware Response Team
Thank you for your submission.
The site will be unblocked in the next update.Regards,
ESET Malware Response Team
Kaspersky
It took just 40 minutes for their lab to analyse the file and give a response:
Hello,Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help. Sincerely yours,
Chris Zachor,
Junior Malware analyst.
It’s impressive, but my previous experience with Kaspersky was even better: 4-minute response time!
McAfee
Their very name is off-putting, mainly due to Adobe trying to shove it down our throats with Flash updates. And I must say that this latest experience of mine didn’t help:
Automated analysis was not able to determine that this file is malware. This file is being sent for further processing and the DAT files will potentially be updated if detection of this sample is warranted.
I got this response after my initial submission. They have changed their classification of my application from “Artemis!A6E427EEE0BF” to “RDN/PWSZbot-FHN” afterwards.
The file submitted is malware that can be detected with current DAT files. It is recommended that you update your DAT and engine files and scan your computer again.
They say “the preferred method for submission is via the ServicePortal”. ServicePortal requires registration, which requires a grant number… In the end, I wasn’t able to resolve the issue with McAfee.
Microsoft
The weird thing about Microsoft Security Essentials (and Windows Defender) is that even if they don’t give you a warning for a particular file, other users with the same malware definitions can get different results. On one hand, a couple of people reported that the application was flagged as “Trojan:Win32/Skeeyah.C!plock”. On the other hand, neither me nor other users got any warning…
In any case, rather than trying to solve the mysteries of Microsoft, I submitted the file to MMPC. It took about 41 hours for Microsoft to finish their analysis and get back to me with a reply:
The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 9/5/2015 7:13:08 AM Pacific Time.
Below is the determination for your submission.Submission ID MMPC15090517953855
Submitted Files
TaigaSetup.exe [Not Malware]Your submission was scanned using antimalware definition version 1.205.1764.0.
Qihoo
Not a reputable company, according to what I’ve read. Frankly, pretty much the only reason I give a damn is because they show up in VirusTotal analysis reports. Tried my luck and filled out their false-positive form. Haven’t received any replies.
Rising
Rising, another Chinese firm, doesn’t even have a proper English website. They do have a submission page, though. I reported the file, but it didn’t work out. My application is still identified as “Trojan.Win32.Generic.18F21F3C”.
Symantec
Norton is surely up there in everyone’s list of “the most hated software of all time”. For many years, it’s been the prime example of what’s wrong with antivirus programs. To be fair, I don’t know if Symantec’s products are still the same, and I must say that their response was satisfactory:
Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:EFD2EB2C5F2DB03772E4D64914F28FE9 - Taiga.exe
The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html
Please note that whitelisting can take up to 24 hours to take effect.
41-minute response time is pretty impressive.