Skip to content

Repository to help security vendors deal with false positives

Notifications You must be signed in to change notification settings

yaronelh/False-Positive-Center

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

False Positive Center

Repository to help security vendors deal with false positives, improving their detection engine, and centralize information for software developers making it easier to submit false positives to AV companies.

The repository lists the emails, and websites security vendors (antivirus companies) used to receive false positive reports. it's an effort to facilitate communication between software developers and security vendors.

AV companies are not responsive? Look at the bottom for additional details.

Please use pull requests to:

  • Add missing vendors
  • Update information
  • Change out-of-date information

What should be included in the email?

A few things are basically required by all security vendors, and would likely lead to better communication. So make sure your email includes the following when sent.

  • The detection name
  • Product (when applicable, some vendors have multiple different AV product at virus total, list which produced the detection)
  • The VirusTotal link, or OPSWAT

VirusTotal (Important)

A flagged detection on virustotal does not mean, that the commercial version of that security vendor will detect/flag the file the same way. Security vendors usually configure their VirusTotal implementation to be more sensitive/differently than their actual product

Quote from this VirusTotal Q&A

  • VirusTotal's antivirus engines are command line versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioral analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/aggressiveness level than the official end-user default configuration.

[*] Emphases not present in the original text and added for clarity.

Antivirus Contact Info For False Positives

In addition to the information in the table below, VirusTotal also has their own listing of contact information for antivirus companies. You can find it here.

ENGINE Contact
360 [email protected], https://open.soft.360.cn/report.php, http://sampleup.sd.360.cn/
Acronis [email protected]
Ad-Aware (Lavasoft) https://www.adaware.com/report-false-positives, [email protected]
Agnitum [email protected]
AhnLab-V3 [email protected] (recommended), [email protected], [email protected]
AlphaMountain ai https://www.alphamountain.ai/contact/ or [email protected]
Alibaba [email protected] (discussion), [email protected]
ALYac (ESTsecurity) [email protected]
Antiy-AVL [email protected], [email protected]
Arcabit [email protected] or [email protected]
Avast https://www.avast.com/report-false-positive, [email protected], [email protected]
Avira (no cloud) https://www.avira.com/en/analysis/submit, [email protected]
AVG https://www.avg.com/false-positive-file-form, https://www.avg.com/us-en/whitelist, http://www.avg.com/submit-sample
Babable [email protected]
Baidu [email protected], [email protected]
BitDefender https://www.bitdefender.com/consumer/support/answer/40673/, [email protected], [email protected]
Bkav Pro [email protected], [email protected]
ByteHero [email protected]
Certego https://www.certego.net/en/contatti/, [email protected]
ClamAV https://www.clamav.net/reports/fp
Clean-MX [email protected]
CMC [email protected], [email protected], [email protected]
CRDF Labs https://threatcenter.crdf.fr/false_positive.html
CrowdStrike Falcon [email protected]
CyanSecurity [email protected]
Cybereason [email protected]
Cylance [email protected], [email protected], General instructions for submission
Cynet [email protected]
CyRadar [email protected]
Cyren [email protected], Instructions: https://www.cyren.com/support/reporting-av-misclassifications
DeepInstinct [email protected]
DNS8 [email protected]
DrWeb https://vms.drweb.com/sendvirus/, [email protected]
eGambit (TEHTRIS) https://tehtris.com/en/false-positives-false-negatives/
Elastic https://docs.google.com/forms/d/e/1FAIpQLSd2WQ-o7Y31Hf1PKvdxxd1iMNSxkoBth1cVDJZRuXuAmaD3rg/viewform, https://discuss.elastic.co/t/submitting-false-positives/232322
Emsisoft [email protected] or [email protected] (false positives), https://www.emsisoft.com/en/help/contact/
Endgame [email protected]
eScan (Microworld) [email protected], http://support.mwti.net/support/index.php?/Tickets/Submit/
ESET-NOD32 [email protected], (more information here)
F-Prot [email protected]
F-Secure/WithSecure https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample, [email protected], [email protected]
Filseclab [email protected]
Forcepoint (websense) [email protected] or https://support.forcepoint.com/s/article/000012884, File Submission Tool, URL Submission Tool
Fortinet [email protected], https://www.fortiguard.com/faq/classificationdispute, http://www.fortinet.com/support/contact_support.html
GData https://www.gdata.de/help/en/general/GeneralInformation/submitFileAppURL, https://www.gdata.de/help/en/general/AllgemeineFragen/DateiURLAppEinsenden
Google [email protected], https://safebrowsing.google.com/safebrowsing/report_error/?hl=en or go through this process, First upload the file to Google Drive (Preferably don't use your main account). Once uploaded, if the file was identified it will be flagged, right-click on the file and select Open With -> Preview. Google Drive will display 'This file looks suspicious. It is visible only to the owner.' alert, click request a review. On the Request a review page, click the Request file review button at the bottom of the page. Demo Video
Gridinsoft [email protected], [email protected], https://gridinsoft.com/incorrect-detection
Hacksoft [email protected]
Hauri [email protected]
Huorong [email protected]
Ikarus [email protected], [email protected], [email protected]
Invincea [email protected]
Jiangmin [email protected], [email protected]
K7 (K7GW) [email protected], [email protected], [email protected], https://support.k7computing.com/index.php?/ticket/submit-ticket
Kaspersky https://opentip.kaspersky.com/, [email protected], or https://support.kaspersky.com/b2c/il#contacts (OS > Application > Malware > False positive > Continue to contact support button > Upload file)
Kingsoft (Cheetah) [email protected]
Lionic (AegisLab) [email protected], https://www.lionic.com/reportfp
Malwarebytes https://forums.malwarebytes.com/forum/122-false-positives/, https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support or for clients https://support.malwarebytes.com/hc/en-us/requests/new (Issue type > Product help > False-positive).
Malwares.com (Saint Security) [email protected]
MAX (SaintSecurity) [email protected]
MaxSecure [email protected]
McAfee https://www.mcafee.com/support/s/article/000001921, [email protected], [email protected] instructions for email submissions here
McAfee-GW-Edition [email protected]
Microsoft Windows Defender https://www.microsoft.com/en-us/wdsi/filesubmission
NANO-Antivirus https://www.nanoav.ru/index.php?option=com_content&view=article&id=15&Itemid=83&lang=en, [email protected]
Netcraft https://report.netcraft.com/report/mistake
Norton https://submit.norton.com
nProtect (Inca) [email protected]
Palo Alto Networks [email protected]
Panda [email protected], [email protected]
Phising Database https://github.com/mitchellkrogza/Phishing.Database#please-remove-my-domain-from-this-list-
Qihoo-360 [email protected], https://www.360totalsecurity.com/en/suspicion/false-positive/
QuickHeal [email protected], [email protected], [email protected], https://techsupport.quickheal.com/report-an-issue/false-positive
Rising [email protected], http://mailcenter.rising.com.cn/filecheck_en/
RocketCyber [email protected]
Sangfor Engine Zero To report false positives follow their instruction guide
Scrutiny [email protected]
Seclookup [email protected]
SecureAge APEX https://www.secureage.com/support/report-false-positive
SentinelOne (Static ML) [email protected]
Skyhigh (SWG) Use the Avira Process, or email [email protected]
Sophos [email protected], https://support.sophos.com/support/s/filesubmission, for email submission/other options see this article
Spamhaus https://www.spamhaus.org/dbl/removal/form/
Symantec (Broadcom) https://symsubmit.symantec.com/, [email protected]
Systweak http://support.systweak.com/kayako/index.php?/Tickets/Submit
Tachyon [email protected] (Password Protected zip file include detection name)
Tencent [email protected]
TheHacker [email protected], [email protected]
Trapmine [email protected] (Concluding operations December 31)
Trellix (FireEye) https://kcm.trellix.com/corporate/index?page=content&id=KB85567
TrendMicro https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html, [email protected], https://helpcenter.trendmicro.com/en-us/srf/
Trustlook [email protected]
Trustwave [email protected], https://support.trustwave.com/virustotal-detection-review/
Varist [email protected] , [email protected], [email protected], [email protected],
VBA32 [email protected], [email protected]
VIPRE https://helpdesk.vipre.com/hc/en-us/requests/new
VirusDie [email protected]
VirIT http://www.tgsoft.it/italy/file_sospetti.asp
Webroot http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx, https://www.webroot.com/us/en/business/support/vendor-dispute-contact-us
Webroot SMD https://www.brightcloud.com/tools/file-change-request.php
Xcitium (Comodo) https://www.comodo.com/home/internet-security/submit.php, [email protected], [email protected], [email protected], https://forum.xcitium.com/
XVirus [email protected], https://xvirus.net/submit
Yandex [email protected]
Yomi [email protected]
Zillya [email protected] , https://zillya.com/support, [email protected]
ZoneAlarm by Check Point [email protected]
Zoner [email protected]

Antivirus Vendors Whitelisting programs

To decrease the chance of false positives you can consider submitting your program to a Antivirus companies whitelisting program, In the list below (just started 30th January contributions encouraged), Most programs require registration and a manual approval process.

ENGINE Link To Whitelisting Program / Allowlist Program
Avast https://support.avast.com/en-ww/article/229/
AVG https://support.avg.com/SupportArticleView?l=en&urlname=AVG-Threat-Lab-file-whitelist
eset https://support.eset.com/en/kb3345-how-do-i-whitelist-my-software-with-eset
Kaspersky https://www.kaspersky.com/partners/allowlist-program
McAfee https://service.mcafee.com/?locale=en-US&articleId=TS102751&fromSearch=true&page=shell&shell=article-view
Semantic (Norton) Whitelisting Program Discontinued

AV companies are not responsive?

There could be a scenario where an antivirus/security company is not responsive, but to be sure that the issue is not on your end (especially if you're sending emails from your own domain). Check that your DNS records are set up correctly for good deliverability. Add an SPF, DKIM, and DMARC to your DNS records. Some AV companies may ignore emails that are not set up correctly, and some will send a response email with an error, depending on how the individual company is setup.

To check if your DNS is configured correctly, as well as SPF, DKIM, and DMARC, use the Google Check MX tool.

To do a final verification if the email was verified correctly in SPF, DKIM, and DMARC, send an email to a secondary email account and take a look at the full record to see if it passed. You're looking for this:

EmailPass

If you did find an error in your configuration, consider resending the emails you already sent before the fix.

TIP: while SPF, and DKIM are relatively simple to setup, you can speed up the DMARC setup by searching for DMARC generator with your favorite search engine, to use a wizard to generate it instead of doing it manually.

Special thanks

Ana Tinoco from VirusTotal support, and the VirusTotal support team for making the initial contact information list. The hope of creating better communication between software developers and security vendors.

Final notes

While I tried to maintain the accuracy of the information here to the best of my ability, it may be that you encounter inaccuracies as things naturally change over time. If you do find any inaccuracies I encourage you to use a pull request, report an issue, or sending me a message.

Other important resources

Certification requirements for windows desktop apps - (article by Microsoft to make sure you're covering the basics) https://docs.microsoft.com/en-us/windows/win32/win_cert/certification-requirements-for-windows-desktop-apps

About

Repository to help security vendors deal with false positives

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published