. Wholesale importing hash and database signatures from online sources, without doing proper analysis or verification
. Falsely identifying clean or non-dangerous files as malware to artificially boost Anti-Virus sales or give unsuspecting customers false confidence
. False identification does a disservice to the entire Anti-Virus industry, and can arguably be a form of fraud or a bad business practice
. False-positives decreases customer confidence in the quality of the product and validity of scan results
To combat this situation, here are a list of Anti-Virus online false-positive submission sites (and some e-mail addresses). Google's VirusTotal list uses these major players. The advantage is that if an .exe is falsely identified, we can rapidly submit to many major Anti-Virus companies to have it properly tested and cleared.
. Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.
. McAfee Online Submission for False-Positives: https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html?region=us
Note- Can also send disputed/false-positive files to their e-mail address: virus_research[at]avertlabs.com and virus_research_gateway[at]avertlabs.com
. Comodo Online Submission for False-Positives: https://www.comodo.com/home/internet-security/submit.php
. Avast Online Submission for False-Positives: https://www.avast.com/en-us/false-positive-file-form.php
. Avira Online Submission for False-Positives: https://analysis.avira.com/en/submit
. Bitdefender Online Submission for False-Positives: https://www.bitdefender.com/submit/
. AVG Online Submission for False-Positives: https://www.avg.com/en-us/false-positive-file-form
. Trend Micro Online Submission for False-Positives: https://www.trendmicro.com/en_ph/about/legal/detection-reevaluation.html
. Spybot Search & Destroy Online Submission for False-Positives: https://www.safer-networking.org/support/
. G DATA or G-Data Online Submission for False-Positives: https://su.gdatasoftware.com/us/sample-submission/
. VIPRE or ThreatTrack Online Submission for False-Positives: https://www.vipre.com/support/submit-false-positive/
. SecureAge APEX or SecureAPlus Online Submission for False-Positives: https://www.secureaplus.com/features/antivirus/report-false-positive/
. ClamAV and Immunet Online Submission for False-Positives: http://www.immunet.com/false_positive
Note- These products are tied to Cisco, so their impact should not be underestimated.
. Norton or Symantec or Blue Coat Online Submission: https://symsubmit.symantec.com
Note 1- You must choose the option of Incorrectly Detected by Symantec at the top
Note 2- You must fill out their form, which has multiple questions before the submission step
. Aegislab Online Submission for False-Positives: https://aegislab.com/Support/
Note- Taiwan based company on Google's VirusTotal list, where you might have to add an exception (at least temporarily) for their SSL certificate
. K7 or K7AntiVirus Online Submission for False-Positives: https://support.k7computing.com/index.php?/ticket/submit-ticket
Note- Choose False Positive under "Category". And it's best to put "False Positive: file being detected by K7" for "Subject"
. eGambit Online Submission for False-Positives: https://tehtris.com/egambit_fp.php
Note- They may ask for more details or follow-up questions.
. Rising Anti-virus Online Submission for False-Positives: http://mailcenter.rising.com.cn/filecheck_en/
Note- Chinese company. English support limited.
. Qihoo or 360 Safeguard Online Submission for False-Positives: http://www.360totalsecurity.com/en/suspicion/false-positive/
Note- Chinese company; on VirusTotal. English support. Also known for controversies over certification and it's detection engine.
. VirusTotal Online contact form. https://www.virustotal.com/gui/contact-us
Note- Can send feedback/complaints about ratings, companies, and false-positives. Select the correct subject.
Code: Select all
My site/file has been improperly flagged as harmful (false positive)
Note- With Sophos, you have to specifically clarify that you are reporting a false-positive.
Code: Select all
"Why do you want to send this sample?" section.
This file, thefile.exe, has been falsely detected as malware by Sophos. I want thefile.exe removed from your list.
Note- With F-Secure you also have to specifically clarify that you are reporting a false-positive.
Code: Select all
"I want to give more details about this sample and to be notified of the analysis results" click check box
This file, thefile.exe, has been falsely detected as malware by F-Secure. I want thefile.exe removed from your list.
Note- With F-Secure you also have to specifically clarify that you are reporting a false-positive.
Code: Select all
"I want to give more details about this sample and to be notified of the analysis results" click check box
This file, thefile.exe, has been falsely detected as malware by F-Secure. I want thefile.exe removed from your list.
Note- With F-Prot or Cyren you also have to specifically clarify that you are reporting a false-positive.
Code: Select all
"I think is falsely classified as malware" Misclassification Reason*
This file, thefile.exe, has been falsely detected as malware by F-Prot or Cyren. I want thefile.exe removed from your list.
Note- Russian based company with English support. Need to specifically clarify that you are reporting a false-positive.
Code: Select all
"False Detection under" Theme*
Note- Online customer support form with no attachment, have to send complaint first, then respond to email they send.
Code: Select all
Select- "VirusTotal Feedback" for Type*
Note- Ukrainian company that provides English support. Need to specifically clarify that you are reporting a false-positive
Code: Select all
I'm reporting about a false-positive.
Note- Czech based company with English support.
Online customer support form with no attachment, have to send complaint first, then respond to email they send.
Code: Select all
I'm reporting about a false-positive.
Note 1- Online customer support form with no attachment, have to send complaint first, then respond to email they send.
Note 2- On the online form, you can send them a download link of where the files you want them to see are located.
You must specifically state in the message that you are reporting a false-positive.
Code: Select all
I'm reporting about a false-positive.
Note 1- Can also send false-positive files to their e-mail address: support[at]quttera.com
Note 2- No attachment, will open a ticket first. Send complaint first, then respond to email they send.
You must choose the correct Help Topic for reporting a false-positive.
Code: Select all
Report A Problem/Report A False-Positive
Note- Appears to be German company. English support questionable. Odd player that Google somehow lists on VirusTotal. Online customer support form in German only, with no attachment, have to send complaint first, then respond to email they send. You may need to send 2 complaints, one in English, the other in German (using Google Translate) to get a response. You must specifically state in the message that you are reporting a false-positive.
Code: Select all
I'm reporting about a false-positive.
Note- Russian company. Responsiveness to reporting false positives a known issue. Probably best to e-mail both addresses. Suggested format to submit below:
Code: Select all
To: info[at]kaspersky.com
cc: newvirus[at]kaspersky.com
Subject: False Positive: file being detected by Kaspersky
Email body text:
Could you please check the attached file, as I think it is a false detection. Here are my product details:
Product:
Engine:
Description of issue: This file has been falsely detected as malware
Note- Probably best to e-mail both addresses. Suggested format to submit below:
Code: Select all
To: support[at]pandasecurity.com
cc: falsepositives[at]pandasecurity.com
Subject: False Positive: file being detected by Panda
Email body text:
Could you please check the attached file, as I think it is a false detection. Here are my product details:
Product:
Engine:
Description of issue: This file has been falsely detected as malware
Note- Should be submitted in the below format
Code: Select all
To: fp[at]emsisoft.com
Subject: False Positive: file being detected by Emsisoft
Email body text:
Could you please check the attached file, as I think it is a false detection. Here are my product details:
Product:
Engine:
Description of issue: This file has been falsely detected as malware
Note- Should be submitted in the below format
Code: Select all
To: samples[at]eset.com
Subject: False Positive: file being detected by ESET
Email body text:
Could you please check the attached file, as I think it is a false detection. Here are my product details:
Product:
Engine:
Description of issue: This file has been falsely detected as malware
Note- Needs to be submitted in the below format.
Code: Select all
To: virus_research[at]avertlabs.com
cc: virus_research_gateway[at]avertlabs.com
Subject: FALSE: file being detected by McAfee.
Email body text:
Could you please check the attached file, as I think it is a false-positive detection. Here are my product details:
Product: McAfee Security Center 16.0 (Example- put in correct info)
Engine: 3181.0 (Example- put in correct info)
Description of issue: This file has been detected as malware
Code: Select all
To: datasubmission[at]mcafee.com
Subject: Files for false positive testing by McAfee
Email body text:
I'm a developer that wishes to include my files in your False Positive Test Rig. Can you please give me additional instructions and a link for uploading.
Note- You can also send comments or open a help ticket at https://helpdesk.quttera.com/open.php
Code: Select all
To: support[at]quttera.com
Subject: False Positive: file being detected by Quttera
Email body text:
Could you please check the attached file, as I think it is a false-positive detection.
Description of issue: This file has been falsely detected as malware
Note- If you have complaints or comments, can use https://www.adminuslabs.net/Contact.html
E-mail with attachment should be submitted in the below format
Code: Select all
To: falsepositive[at]adminuslabs.net
Subject: False Positive: file being detected by ADMINUSLabs
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: virustotal-falsepositive[at]acronis.com
Subject: False Positive: file being detected by Acronis scanner
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
Note- LightCyber is a malware detection engine used by Palo Alto. This company is a VirusTotal contributor
E-mail with attachment should be submitted in the below format
Code: Select all
To: lightcyber-support[at]paloaltonetworks.com
Subject: False Positive: file being detected by Palo Alto product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: support[at]ikarus.at
Subject: False Positive: file being detected by Ikarus product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: support-en[at]anti-virus.by
Subject: False Positive: file being detected by VirusBlokAda product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: support[at]trapmine.com
cc: info[at]trapmine.com
Subject: False Positive: file being detected by a Trapmine product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: report[at]sentinelone.com
cc: support[at]sentinelone.com
Subject: False Positive: file being detected by the SentinelOne product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
Note- Vietnamese company, but does provide some English service and support.
E-mail with attachment should be submitted in the below format
Code: Select all
To: bkav[at]bkav.com.vn
cc: DuAn[at]bkav.com
Subject: False Positive: file being detected by a Bkav product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
Note- Chinese company. You might also want to send a 2nd Google Translate version of the e-mail in Chinese.
E-mail with attachment should be submitted in the below format
Code: Select all
To: support[at]jiangmin.com
cc: whitelist[at]jiangmin.com
Subject: False Positive: file being detected by a Jiangmin product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
Note- Chinese company. Appears to provide English support.
E-mail with attachment should be submitted in the below format
Code: Select all
To: support[at]antiy.cn
Subject: False Positive: file being detected by an Antiy product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: VTscanner[at]crowdstrike.com
cc: support[at]crowdstrike.com
Subject: False Positive: file being detected by an CrowdStrike product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
E-mail with attachment should be submitted in the below format
Code: Select all
To: investigations[at]mandiant.com
cc: support[at]mandiant.com
Subject: False Positive: file being detected by an Fireeye product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
Note- Appears to be Italian company using Japanese names
E-mail with attachment should be submitted in the below format
Code: Select all
To: info[at]yoroi.company
Subject: False Positive: file being detected by an Yoroi product
Email body text:
Could you please check the attached file, as I think it is a false detection.
Description of issue: This file has been falsely detected as malware
Note- This organization is related to Google, VirusTotal, and Mozilla's Firefox. Their opinions or decisions can have a major impact.
. Check Point or Zone Alarm Online trouble ticket or chat: https://www.checkpoint.com/support-services/contact-support/
Note- This is a problematic system, where people are forced to sign-up, then you have to open a ticket or do a chat.
Otherwise, you can call them by phone, but obviously you won't be able to send attachments that way.
. Malwarebytes Online Forum Review: https://forums.malwarebytes.com/forum/122-false-positives/
Note- This is a problematic system, where people are forced to sign-up, before making a report about their product. However, their product is famous.