Each user of almost any serious Software Protection system sometimes may get false detection (false positive detection) from different antivirus software vendors. What is false detection? It is just wrong detection any kind of virus in protected files…
Why False Detection appear?
Difficult to say only one main reason of false positive detection, but usual of them are following:
- the one of the main purposes of protection systems – make it harder to analyze, reverse and crack the application. Malware (virus) makers are also very often use protection systems to protect viruses to make them difficult to analyze. So antivirus software vendors sometimes wrongly detect virus in any protected files, for example, if last days there were lot of protected viruses
- heuristic and generic analyzers of antivirus software may often fail, because these are robot, and automatic robot detections can’t give us 100% result
- just an error of antivirus software engineers, which may wrongly analyze and detect virus in protected file
Is any way to stop false detection?
Yes, sure, there is a way to avoid false detection. If false detection appears you need to send file sample to the antivirus research team and ask them to solve problem. Usually, specialists reply quickly and glad to help to solve the problem. As per our experience, if you send file sample today, tomorrow’s database of the antivirus software will be clean.
Another very promised thing we had got a year ago from IEEE.com members. They decided to unite antivirus software vendors to make a complex solution for software protection vendors that will avoid most part of false detections caused by protected files. Enigma Protector developers are also joined to the process, so we hope that soon we will be completely free of the most false positives!
Something about new anti-false detection system you may read there: http://www.pcmag.com/article2/0,2817,2390388,00.asp
How to Solve False Detection?
Below I’ve written a list of antivirus software vendors and ways how to solve false positive detection of their software. Also, note, customers of the Enigma Protector may always contact to support team at email@example.com and ask for a help regarding any their false detection.
Here are some places that can online scan the program and let you know what AV companies are giving False Positives on the files:
NOTE: we do not recommend to use below services to check your files on a false positives, because submitted files are being redirected to Antivirus Software vendors directly. As per our experience, antivirus software vendors are moving these files to black list, so instead of the successful false detection removing you will get a few new false detections. This note is made per our experience only, you may or not may trust it.
I’ll go ahead and list some email addresses and website forms for some of the particular AV companies to make it easy for you.
A-Squared: send false detection sample at firstname.lastname@example.org
If you think our scanner has detected a clean file by mistake please select “False positive suspicion” from the drop down menu above. Note that suspicious files and false positives need to be uploaded separately. Please make sure you verified that the latest version will still detect the file and it is not a solved false alarm at this point in time.
ArcaVir: send false detection sample at email@example.com
Avast: Use the contact form to submit the file: http://www.avast.com/contact-form.php
Make sure you’ve noted that this is “False alert of a file”.
Alternative way, sumbit the file at firstname.lastname@example.org
Pack the “infected” file into ZIP archive and lock it with password “virus” (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it’s on the internet.
Add your own note on why do you think that it’s a false positive. Every info helps Alwil staff.
Send the mail to: email@example.com
You’ll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you’ll know if the false positive was fixed.
Until then, you can add the “false positive” file into exclusions:
Left click on “a” ball next to the clock and select Standard Shield.
Click Customize… and select Advanced tab.
Now just enter full path (path plus filename with extension) into the line and press [Enter] on keyboard.
This will exclude the file from scan, so you can use it untill false positive is resolved. Do this with caution or if you’re 100% sure that the alert was false positive for that file.
Alwil staff deals with false positives very fast, so they are usually fixed on next VPS update, or even immediately if the false positive is found in any widely used program.
Try to address false positives directly to Alwil virus submission mail and not here on forums. This way the false positive is solved faster.
Check the file using this form:
If the file is false detected, add it to zip archive with password. Then email zip file to firstname.lastname@example.org. Do not forget to note it is “File is incorrectly marked as a virus (false positive)” and archive password for zip file.
Post false detection in their forum:
Complete the form at http://www.clamav.net/sendvirus. Be sure to select The file attached is… a false positive.
Comodo Antivirus: email@example.com or firstname.lastname@example.org
Make sure you state “False Positive” in the subject and try to explain what the program is.
Or upload file sample using this online form:
do not forget to note that this is False Detection
– Subject line should be in the format of: virus samples
– Attached the sample as encrypted zip file with the password of “infected”
– In the body of the message include that the file is protected with Enigma Protector and it’s version
– Submit the sample to: AVsample@blockvirus.biz
Make sure you select “False Detect”.
– send the suspect(s) to email@example.com
– Before submitting, create a password protected archive (ZIP or RAR) containing the file(s). Please password protect the archive with word: “fp” (no quotes)
Fill out the contact form and let them know it is a False Positive.
F-Prot Antivirus: http://www.f-prot.com/virusinfo/submission_form.html
Be sure to explain it is a False Positive!
F-Secure Antivirus: http://www.f-secure.com/samples/index.html
If you encounter a false positive, please submit a sample of it for testing and verification, specifying that you are submitting a false positive. Any additional information such as the origin of the file, scanning report file, and false positive detection name will help to resolve the issue more quickly.
Submit the file and fill out the form stating it is a false positive
Ikarus: send false detection sample at firstname.lastname@example.org
Password protect the sample and send it to: email@example.com
Include password in the email.
Zip the file with password “virus” and use this form to send sample:
1) Put the suspected virus in a password-protected zip or rar file.
2) Compose an email message (only short description) and attach the zip file.
3) Include the password in the body/subject of the email. If you suspect a false positive, then include “Possible false positive” in the subjectline.
4) Send the zip/rar file to firstname.lastname@example.org
Send an email to McAfee and let them know it is a false positive.
Make sure you zip up the file(s) and password protect it with the word infected. Even though it is not a virus this password must be contained on the zip file or they will ignore your email.
1. Compress the file(s) into a .zip or .rar archive, and password protect it with the password “infected”.
2. Make a note of this password in the email (bounded by speech marks), attach the zipped file, and email it to email@example.com.
3. Use a subject line which clearly states if the attached file contains a suspected infection or a false positive (ie. use the subject Suspected infection or the subject False positive if you report a false positive). Also, please include the Customer Care case number if applicable.
4. In the body of the email it is very important to include:
Any background information as to where the sample was found, especially the url you downloaded the sample from
Why you think it is malware or a false positive report.
If you know that another antivirus company already detects it.
If you are reporting a potential false positive, please provide as much information as possible about the source of the software, including the name of the developer, the name and version application and the address of the site from which the file was downloaded.
Send email to: firstname.lastname@example.org
For more info:
Norman Virus Control: http://www.norman.com/Support/fp/
Please send an email to email@example.com with the subject “false positive” with details of the detection.
Contact support by filling out the form and stateing the information about the false positive.
Sophos Antivirus: https://secure.sophos.com/support/samples/
Make sure you let them know it is a “False Positive”.
Fill out false positive submission form, attach false detected file
process a false detection submission form at:
To submit false positive email to Security Response
Create a new email in RFC-822 MIME format, and attach the false positive email.
In the To box, type:
North America: firstname.lastname@example.org
Only send false positive email to the this address.
Send the message to the Security Response Center.
Do not forget to note that it is a false detection
VirusBuster: send false detection sample at email@example.com
Make sure you notify them that it is a “False Positive”.
Go to http://www.hauri.net/support/false_report.html there is a false positive submission form. Enter your name, email address, enter False Positive in the subject, some words in the text field and select a file. Note, false detected file should be zip compressed!
Use this form to submit false detection
VBA32: send false detection sample at firstname.lastname@example.org
Put “False Positive” in the subject!