Skip to content

Latest commit

 

History

History
184 lines (155 loc) · 15.4 KB

README.md

File metadata and controls

184 lines (155 loc) · 15.4 KB

False Positive Center

Repository to help security vendors deal with false positives, improving their detection engine, and centralize information for software developers making it easier to submit false positives to AV companies.

The repository lists the emails, and websites security vendors (antivirus companies) used to receive false positive reports. it's an effort to facilitate communication between software developers and security vendors.

AV companies are not responsive? Look at the bottom for additional details.

Please use pull requests to:

  • Add missing vendors
  • Update information
  • Change out-of-date information

What should be included in the email?

A few things are basically required by all security vendors, and would likely lead to better communication. So make sure your email includes the following when sent.

  • The detection name
  • Product (when applicable, some vendors have multiple different AV product at virus total, list which produced the detection)
  • The VirusTotal link, or OPSWAT

VirusTotal (Important)

A flagged detection on virustotal does not mean, that the commercial version of that security vendor will detect/flag the file the same way. Security vendors usually configure their VirusTotal implementation to be more sensitive/differently than their actual product

Quote from this VirusTotal Q&A

  • VirusTotal's antivirus engines are command line versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioral analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/aggressiveness level than the official end-user default configuration.

[*] Emphases not present in the original text and added for clarity.

Antivirus Contact Info For False Positives

In addition to the information in the table below, VirusTotal also has their own listing of contact information for antivirus companies. You can find it here.

ENGINE Contact
360 kefu@360.cn, https://open.soft.360.cn/report.php, http://sampleup.sd.360.cn/
Acronis virustotal-falsepositive@acronis.com
Ad-Aware (Lavasoft) https://www.adaware.com/report-false-positives, malware.labs@adaware.com
Agnitum trojans@agnitum.com
AhnLab-V3 v3sos@ahnlab.com (recommended), e-support@ahnlab.com, samples@ahnlab.com
AlphaMountain ai https://www.alphamountain.ai/contact/ or support@alphamountain.freshdesk.com
Alibaba antivirus@alibabacloud.com (discussion), virustotal@list.alibaba-inc.com
ALYac (ESTsecurity) esrc@estsecurity.com
Antiy-AVL support@antiy.cn, avlsdk_support@antiy.cn
Arcabit vt.fp@arcabit.pl or virus@arcabit.com
Avast https://www.avast.com/report-false-positive, virus@avast.com, DL-Virus@gendigital.com
Avira (no cloud) https://www.avira.com/en/analysis/submit, novirus@avira.com
AVG https://www.avg.com/false-positive-file-form, https://www.avg.com/us-en/whitelist, http://www.avg.com/submit-sample
Babable obu@babable.com
Baidu bav@baidu.com, gaoyingchun@baidu.com
BitDefender https://www.bitdefender.com/consumer/support/answer/40673/, virus_submission@bitdefender.com, oemsamples@bitdefender.com
Bkav Pro fpreport@bkav.com, bkav@bkav.com
ByteHero bytehero@163.com
Certego https://www.certego.net/en/contatti/, fp@certego.net
ClamAV https://www.clamav.net/reports/fp
Clean-MX abuse@clean-mx.de
CMC PSIRT@cmccybersecurity.com, vulambang@cmcinfosec.com, support.is@cmclab.net
CRDF Labs https://threatcenter.crdf.fr/false_positive.html
CrowdStrike Falcon VTscanner@crowdstrike.com
CyanSecurity virustotal@cyansecurity.com
Cybereason vt-feedback@cybereason.com
Cylance cylancefilesubmit@cylance.com, cylancefilesubmit@blackberry.com, General instructions for submission
Cynet soc@cynet.com
CyRadar virustotal@cyradar.com
Cyren support@cyren.com, Instructions: https://www.cyren.com/support/reporting-av-misclassifications
DeepInstinct info@deepinstinct.com
DNS8 dns8@layer8.pt
DrWeb https://vms.drweb.com/sendvirus/, vms@drweb.com
eGambit (TEHTRIS) https://tehtris.com/en/false-positives-false-negatives/
Elastic https://docs.google.com/forms/d/e/1FAIpQLSd2WQ-o7Y31Hf1PKvdxxd1iMNSxkoBth1cVDJZRuXuAmaD3rg/viewform, https://discuss.elastic.co/t/submitting-false-positives/232322
Emsisoft submit@emsisoft.com or fp@emsisoft.com (false positives), https://www.emsisoft.com/en/help/contact/
Endgame info@endgame.com
eScan (Microworld) samples@escanav.com, http://support.mwti.net/support/index.php?/Tickets/Submit/
ESET-NOD32 samples@eset.com, (more information here)
F-Prot viruslab@f-prot.com
F-Secure/WithSecure https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample, spyware-samples@f-secure.com, vsamples@f-secure.com
Filseclab fp@filseclab.com
Forcepoint (websense) suggest@forcepoint.com or https://support.forcepoint.com/s/article/000012884, File Submission Tool, URL Submission Tool
Fortinet submitvirus@fortinet.com, https://www.fortiguard.com/faq/classificationdispute, http://www.fortinet.com/support/contact_support.html
GData https://www.gdata.de/help/en/general/GeneralInformation/submitFileAppURL, https://www.gdata.de/help/en/general/AllgemeineFragen/DateiURLAppEinsenden
Google google-at-virustotal@google.com, https://safebrowsing.google.com/safebrowsing/report_error/?hl=en or go through this process, First upload the file to Google Drive (Preferably don't use your main account). Once uploaded, if the file was identified it will be flagged, right-click on the file and select Open With -> Preview. Google Drive will display 'This file looks suspicious. It is visible only to the owner.' alert, click request a review. On the Request a review page, click the Request file review button at the bottom of the page. Demo Video
Gridinsoft virus@gridinsoft.com, antimalware@gridinsoft.com, https://gridinsoft.com/incorrect-detection
Hacksoft virus@hacksoft.com.pe
Hauri viruslab@hauri.co.kr
Huorong seclab@huorong.cn
Ikarus fp@ikarus.at, samples@ikarus.at, false-positive@ikarus.at
Invincea info@invincea.com
Jiangmin support@jiangmin.com, shaojia@jiangmin.com
K7 (K7GW) reportfp@labs.k7computing.com, k7viruslab@labs.k7computing.com, support@k7computing.com, https://support.k7computing.com/index.php?/ticket/submit-ticket
Kaspersky https://opentip.kaspersky.com/, newvirus@kaspersky.com, or https://support.kaspersky.com/b2c/il#contacts (OS > Application > Malware > False positive > Continue to contact support button > Upload file)
Kingsoft (Cheetah) ti@mingting.cn
Lionic (AegisLab) support@aegislab.com, https://www.lionic.com/reportfp
Malwarebytes https://forums.malwarebytes.com/forum/122-false-positives/, https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support or for clients https://support.malwarebytes.com/hc/en-us/requests/new (Issue type > Product help > False-positive).
Malwares.com (Saint Security) kog@stsc.com
MAX (SaintSecurity) root@malwares.com
MaxSecure tech@maxpcsecure.com
McAfee https://www.mcafee.com/support/s/article/000001921, virus_research@mcafee.com, virus_research@avertlabs.com instructions for email submissions here
McAfee-GW-Edition datasubmission@mcafee.com
Microsoft Windows Defender https://www.microsoft.com/en-us/wdsi/filesubmission
NANO-Antivirus https://www.nanoav.ru/index.php?option=com_content&view=article&id=15&Itemid=83&lang=en, false@nanoav.ru
Netcraft https://report.netcraft.com/report/mistake
Norton https://submit.norton.com
nProtect (Inca) virus_info@inca.co.kr
Palo Alto Networks vt-pan-false-positive@paloaltonetworks.com
Panda falsepositives@pandasecurity.com, virussamples@pandasecurity.com
Phising Database https://github.com/mitchellkrogza/Phishing.Database#please-remove-my-domain-from-this-list-
Qihoo-360 support@360safe.com, https://www.360totalsecurity.com/en/suspicion/false-positive/
QuickHeal viruslab@quickheal.com, OEMENGINE@quickheal.com, support@quickheal.com, https://techsupport.quickheal.com/report-an-issue/false-positive
Rising fp@rising.com.cn, http://mailcenter.rising.com.cn/filecheck_en/
RocketCyber support@rocketcyber.com
Sangfor Engine Zero To report false positives follow their instruction guide
Scrutiny training@cyberstanc.com
Seclookup info@seclookup.com
SecureAge APEX https://www.secureage.com/support/report-false-positive
SentinelOne (Static ML) report@sentinelone.com
Skyhigh (SWG) Use the Avira Process, or email virus_research_gateway@avertlabs.com
Sophos samples@sophos.com, https://support.sophos.com/support/s/filesubmission, for email submission/other options see this article
Spamhaus https://www.spamhaus.org/dbl/removal/form/
Symantec (Broadcom) https://symsubmit.symantec.com/, false.positives@broadcom.com
Systweak http://support.systweak.com/kayako/index.php?/Tickets/Submit
Tachyon isarc@inca.co.kr (Password Protected zip file include detection name)
Tencent TAVfp@tencent.com
TheHacker virus@hacksoft.com.pe, falsopositivo@hacksoft.com.pe
Trapmine fp@trapmine.com (Concluding operations December 31)
Trellix (FireEye) https://kcm.trellix.com/corporate/index?page=content&id=KB85567
TrendMicro https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html, virus_doctor@trendmicro.com, https://helpcenter.trendmicro.com/en-us/srf/
Trustlook bd@trustlook.com
Trustwave ADavidi@trustwave.com, https://support.trustwave.com/virustotal-detection-review/
Varist SampleFP@avsubmit.com , support@varist.com, virus@avsubmit.com, virustotal@viritpro.com,
VBA32 feedback@anti-virus.by, support-en@anti-virus.by
VIPRE https://helpdesk.vipre.com/hc/en-us/requests/new
VirusDie partners@virusdie.com
VirIT http://www.tgsoft.it/italy/file_sospetti.asp
Webroot http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx, https://www.webroot.com/us/en/business/support/vendor-dispute-contact-us
Webroot SMD https://www.brightcloud.com/tools/file-change-request.php
Xcitium (Comodo) https://www.comodo.com/home/internet-security/submit.php, malwaresubmit@avlab.comodo.com, security@xcitium.com, support@xcitium.com, https://forum.xcitium.com/
XVirus samples@xvirus.net, https://xvirus.net/submit
Yandex yandex-antivir@support.yandex.ru
Yomi yomi-false-positives@yoroi.company
Zillya virus@zillya.com , https://zillya.com/support, help@zillya.com
ZoneAlarm by Check Point zonealarm_VT_reports@checkpoint.com
Zoner false@zonerantivirus.com

Antivirus Vendors Whitelisting programs

To decrease the chance of false positives you can consider submitting your program to a Antivirus companies whitelisting program, In the list below (just started 30th January contributions encouraged), Most programs require registration and a manual approval process.

ENGINE Link To Whitelisting Program / Allowlist Program
Avast https://support.avast.com/en-ww/article/229/
AVG https://support.avg.com/SupportArticleView?l=en&urlname=AVG-Threat-Lab-file-whitelist
eset https://support.eset.com/en/kb3345-how-do-i-whitelist-my-software-with-eset
Kaspersky https://www.kaspersky.com/partners/allowlist-program
McAfee https://service.mcafee.com/?locale=en-US&articleId=TS102751&fromSearch=true&page=shell&shell=article-view
Semantic (Norton) Whitelisting Program Discontinued

AV companies are not responsive?

There could be a scenario where an antivirus/security company is not responsive, but to be sure that the issue is not on your end (especially if you're sending emails from your own domain). Check that your DNS records are set up correctly for good deliverability. Add an SPF, DKIM, and DMARC to your DNS records. Some AV companies may ignore emails that are not set up correctly, and some will send a response email with an error, depending on how the individual company is setup.

To check if your DNS is configured correctly, as well as SPF, DKIM, and DMARC, use the Google Check MX tool.

To do a final verification if the email was verified correctly in SPF, DKIM, and DMARC, send an email to a secondary email account and take a look at the full record to see if it passed. You're looking for this:

EmailPass

If you did find an error in your configuration, consider resending the emails you already sent before the fix.

TIP: while SPF, and DKIM are relatively simple to setup, you can speed up the DMARC setup by searching for DMARC generator with your favorite search engine, to use a wizard to generate it instead of doing it manually.

Special thanks

Ana Tinoco from VirusTotal support, and the VirusTotal support team for making the initial contact information list. The hope of creating better communication between software developers and security vendors.

Final notes

While I tried to maintain the accuracy of the information here to the best of my ability, it may be that you encounter inaccuracies as things naturally change over time. If you do find any inaccuracies I encourage you to use a pull request, report an issue, or sending me a message.

Other important resources

Certification requirements for windows desktop apps - (article by Microsoft to make sure you're covering the basics) https://docs.microsoft.com/en-us/windows/win32/win_cert/certification-requirements-for-windows-desktop-apps