Virustotal false positives

Author: a | 2025-04-24

False Positive on VirusTotal in VirusTotal ; false positive submission in VirusTotal ; false positive submission in VirusTotal ; False Positive Reporting False Positive from VirusTotal in VirusTotal ; Report false positive in VirusTotal ; False positive (generic.ml) in VirusTotal ; Virus Total - False Positive in VirusTotal ; False Positive Submission (Generic.ml)-CCBoot Cloud in VirusTotal

VirusTotal - false positive? - www.makemkv.com

False Positive Center(Written by Yaron Elharar & the effort of countless contributors over the years)Repository to help security vendors deal with false positives, improving their detection engine, and centralize information for software developers making it easier to submit false positives to AV companies.The repository lists the emails, and websites security vendors (antivirus companies) used to receive false positive reports. it's an effort to facilitate communication between software developers and security vendors.AV companies are not responsive? Look at the bottom for additional details.Architecture and False PositivesImportant32-bit applications, even if signed properly, have the potential to produce significantly more false positives, particularly among smaller, lesser-known antivirus solutions and vendors.If you must have a 32-bit version of your software, it is advisable to separate it from the 64-bit version into two architectures, especially if false positives are a persistent concern.Please use pull requests to:Add missing vendorsUpdate informationChange out-of-date informationWhat should be included in the email?A few things are basically required by all security vendors, and would likely lead to better communication. So make sure your email includes the following when sent.The detection nameProduct (when applicable, some vendors have multiple different AV product at virus total, list which produced the detection)The VirusTotal link, or OPSWATVirusTotal (Important)A flagged detection on virustotal does not mean, that the commercial version of that security vendor will detect/flag the file the same way. Security vendors usually configure their VirusTotal implementation to be more sensitive/differently than their actual productQuote from this VirusTotal Q&AVirusTotal's antivirus engines are command line versions, so

VirusTotal Flagged As Malicious - Is This A False Positive?

Depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioral analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/aggressiveness level than the official end-user default configuration.[*] Emphases not present in the original text and added for clarity.Antivirus Contact Info For False PositivesIn addition to the information in the table below, VirusTotal also has its own listing of contact information for antivirus companies. You can find it here. You can directly contact VirusTotal to report false positives by choosing false positives in this contact form; however, note that you may be directed to contact the security vendor directly first.ENGINEContact360kefu@360.cn, (Lavasoft) malware.labs@adaware.comAgnitumtrojans@agnitum.comAhnLab-V3v3sos@ahnlab.com (recommended), e-support@ahnlab.com, samples@ahnlab.comAlphaMountain ai or support@alphamountain.freshdesk.comAliCloudantivirus@alibabacloud.com (discussion)Alibabavirustotal@list.alibaba-inc.comALYac (ESTsecurity)esrc@estsecurity.comAntiy-AVLsupport@antiy.cn, avlsdk_support@antiy.cnArcabitvt.fp@arcabit.pl or virus@arcabit.comAvast DL-Virus@gendigital.comAvira (no cloud) novirus@avira.comAVG gaoyingchun@baidu.comBitDefender virus_submission@bitdefender.com, oemsamples@bitdefender.comBkav Profpreport@bkav.com, bkav@bkav.comByteHerobytehero@163.comCertego fp@certego.netClamAV vulambang@cmcinfosec.com, support.is@cmclab.netCRDF Labs FalconVTscanner@crowdstrike.comCyanSecurityvirustotal@cyansecurity.comCybereasonvt-feedback@cybereason.comCylancecylancefilesubmit@blackberry.com, General instructions for submissionCynetsoc@cynet.comCyRadarvirustotal@cyradar.com, (CyRadarInc accepts FP reports through Facebook Messenger as well )Cyrensupport@cyren.com, Instructions: Instinctvt-fps-requests@deepinstinct.comDNS8dns8@layer8.ptDrWeb vms@drweb.comeGambit (TEHTRIS) or fp@emsisoft.com (false positives), (Microworld)samples@escanav.com, (more information here)F-Protviruslab@f-prot.comF-Secure/WithSecure spyware-samples@f-secure.com, vsamples@f-secure.comFilseclabfp@filseclab.comForcepoint (websense)suggest@forcepoint.com or File Submission Tool, URL Submission ToolFortinetsubmitvirus@fortinet.com, or go through this process, First upload the file to

False Positive on VirusTotal for Notepad 8.5.6?

Google Drive (Preferably don't use your main account). Once uploaded, if the file was identified it will be flagged, right-click on the file and select Open With -> Preview. Google Drive will display 'This file looks suspicious. It is visible only to the owner.' alert, click request a review. On the Request a review page, click the Request file review button at the bottom of the page. Demo VideoGridinsoftvirus@gridinsoft.com, antimalware@gridinsoft.com, samples@ikarus.at, false-positive@ikarus.atInvinceainfo@invincea.comJiangminsupport@jiangmin.com, shaojia@jiangmin.comK7 (K7GW)reportfp@labs.k7computing.com, k7viruslab@labs.k7computing.com, support@k7computing.com, newvirus@kaspersky.com, or (OS > Application > Malware > False positive > Continue to contact support button > Upload file)Kingsoft (Cheetah)ti@mingting.cnLionic (AegisLab)support@aegislab.com, or for clients (Issue type > Product help > False-positive).Malwares.com (Saint Security)kog@stsc.comCTX (SaintSecurity)root@malwares.comMaxSecuretech@maxpcsecure.comMcAfee Windows Defender false@nanoav.ruNetcraft (Inca)virus_info@inca.co.krPalo Alto Networks vt-pan-false-positive@paloaltonetworks.comPandafalsepositives@pandasecurity.com, virussamples@pandasecurity.comPhising Database OEMENGINE@quickheal.com, support@quickheal.com, Engine ZeroTo report false positives follow their instruction guideScrutinytraining@cyberstanc.comSeclookupinfo@seclookup.comSecureAge APEX (Static ML)report@sentinelone.comSkyhigh (SWG)Use the Avira Process, or email virus_research_gateway@avertlabs.comSophossamples@sophos.com, for email submission/other options see this articleSpamhaus (Broadcom) false.positives@broadcom.comSystweak (Password Protected zip file include detection name)TencentTAVfp@tencent.comTheHackervirus@hacksoft.com.pe, falsopositivo@hacksoft.com.peTrapminefp@trapmine.com (Concluding operations December 31)Trellix (FireEye)datasubmission@trellix.com, or malware_research_gateway@trellixsecurity.com, attach the false positive sample, then enter Possible False as the subjectTrendMicro virus_doctor@trendmicro.com, , support@varist.com, virus@avsubmit.com, virustotal@viritpro.com,VBA32feedback@anti-virus.by, support-en@anti-virus.byVIPRE SMD (Comodo) malwaresubmit@avlab.comodo.com, security@xcitium.com, support@xcitium.com, , help@zillya.comZoneAlarm by Check Pointzonealarm_VT_reports@checkpoint.comZonerfalse@zonerantivirus.comAntivirus Vendors Whitelisting programsTo decrease the chance of false positives you can consider submitting your program to a Antivirus companies whitelisting program, In the list below (just started 30th January contributions encouraged), Most programs require registration and a manual approval process.ENGINELink To Whitelisting Program / Allowlist ProgramAvast (Norton)Whitelisting Program DiscontinuedAV companies are not responsive?There could be a scenario where. False Positive on VirusTotal in VirusTotal ; false positive submission in VirusTotal ; false positive submission in VirusTotal ; False Positive

Is this safe and false positive from VirusTotal? :

Other AI search modifiers or with any other modifiers supported by VirusTotal using the logical operators AND, OR, and NOT. For example, the search query crowdsourced_ai_analysis:"inject" AND crowdsourced_ai_analysis:"explorer.exe" can be used to identify files that perform injection involving the explorer.exe process. The results returned from VirusTotal include the PowerShell script da.ps1, which injects code from an external file into this process. This functionality of the script is documented in the summary generated by the Code Insight AI engine.da.ps1 injects code into explorer.exeCode Insight analysis of da.ps1Another example is the search query crowdsourced_ai_analysis:"Shell.Run" AND behavior_created_processes:"powershell.exe". This query can be used to identify files that invoke the Run function of the Windows Script Host Shell object to execute the PowerShell process powershell.exe for conducting further activities. The results returned from VirusTotal include the Visual Basic script 297641663, which executes a PowerShell command using the Run function to download a payload from a remote server.297641663 executes powershell.exeCode Insight analysis of 297641663Although the AI engines integrated into VirusTotal provide valuable insights, they should be used as tools to assist in malware analysis efforts, as part of a broader analysis strategy. AI engines are designed and trained to analyze code based on historical data, and therefore may not always accurately interpret novel techniques or highly obfuscated code in malware implementations. As a result, the summaries they generate may sometimes lack sufficient or useful information for analysts.Clustering With Search ModifiersThe extensive number of VirusTotal search modifiers enables analysts to query the platform in a practical and precise way. This allows for retrieving submitted artifacts and related information that are relevant to specific threats under investigation. However, false positives (where retrieved data is not related to the investigated threat) and false negatives (where relevant data is missing) can impact the relevance and completeness of search results.The way in which queries are formulated is important for addressing or alleviating the impact of these challenges. Combining search modifiers using the logical operators AND, OR, and NOT and refining search queries helps reduce the likelihood of false positives and false negatives. This is an iterative process where analysts may integrate information obtained from multiple sources into their query formulations.For example, malware analysis may provide characteristics suspected to be unique to the investigated activity cluster, such as specific file names, hashes, registry keys, network indicators, code signatures, strings or functions used by the malware, or distinct patterns of behavior. Additionally, information

Virustotal (is this false positive)? Maxdecure - Reddit

At this point. So you don't see a reduction from 127 to 34 in the AVC tests by just replacing Ikarus with Bitdefender as a dramatic improvement? Some people don't take false positives into consideration. As a corporate AV user false positives have caused as much damage and wasted as much time as actual malware. I would say that is a great improvement! Interesting. I wonder why. It'd be nice to hear developers from those AV programs what was their reason for going with BD engine... Before the latest false alarm test for March 2013 when was the last time Ikarus or Emsisoft was tested for FP's by AVC? I won't wait for that answer. By the way where exactly did you come up with 127 FP's when Ikarus was the other engine? Did Emsisoft come up with that number because it didn't come from AVC testing. 127 to 38? 38 is what AVC posted. No, that still stinks but you're right, you went from totally unacceptable to just plain lousy. No, I don't think I'll start drinking the Emsisoft Kool-Aid just yet. You are headed in the right direction though. Charyb Registered Member Joined: Jan 16, 2013 Posts: 679 Last edited: Apr 22, 2013 We were tested in 2011. We didn't receive any of the samples we missed nor the false positives we caused in that tests. So those false positives are still there. The huge drop was therefore caused by the switch in engines.Actually you have to take that 38 false positives with a grain of salt. When you look at the actual false positives in the dedicated false positive report (link can be found in the test report) you will see that a significant portion of the false positives were in rather exotic files (we are talking applications designed for Windows 98 here). Personally I would argue that one false positive in a Windows file has more catastrophic consequences than 38 false positives in files that are partially so old and thinly spread that even an enormous service like VirusTotal hasn't seen them even once.If you don't

False Positive VirusTotal Jiangmin Trojan.KillFiles.mf

Which is better of the 2? There is no better one, they both have their pros and cons. Eset is more about accuracy, NPE is more aggressive. Depends on your needs. #12 There is no better one, they both have their pros and cons. Eset is more about accuracy, NPE is more aggressive. Depends on your needs. What's the difference between accuracy and being aggressive then? #13 What's the difference between accuracy and being aggressive then? Eset is more likely to miss something whilst NPE is more prone to false positives. #14 Eset is more likely to miss something whilst NPE is more prone to false positives. So no golden medium then. Would you say HMP is largely useless then? #15 So no golden medium then. Would you say HMP is largely useless then? Hitman Pro nowadays queries the Sophos Live Protection network for reputation. Everything with malicious reputation or unknown is flagged as malicious/suspicious respectively. Sophos is a business-first vendor and there are loads of unknown files, as well as their network only collects reputation for executables.All in all, HMP is not useless but it’s wildly inaccurate and also, paid. You can do better for free. Last edited: Jul 6, 2024 #16 KVRT is probably the best on demand scanners out there. #17 Yes I use KTS. So what on-demand scanner would you recommend? I use VirusTotal for exe's or files that I'm not sure of. In addition to ESET Online Scanner you could try X-Sec. You may see some false positives but it's quite effective for such an unknown product. X-Sec Antivirus X-Sec Malware Scanner is a free antivirus software which can detect and remove malware effectively. www.xsecantivirus.com #18 In addition to ESET Online Scanner you could try X-Sec. You may see some false positives but it's quite effective for such an unknown product. X-Sec Antivirus X-Sec Malware Scanner is a free antivirus software which can detect and remove malware effectively. www.xsecantivirus.com you suggesting give it a try...? this is the first I've heard of X-Sec. do you know if Chinese or Korean or other (just wondering) the website seems to have minimal info... #19 In addition to ESET Online Scanner you could try X-Sec. You may see some false positives but it's quite effective for such an unknown product. X-Sec Antivirus X-Sec Malware Scanner is a free antivirus software which can detect and remove malware effectively. www.xsecantivirus.com

VirusTotal false positive - Ask Wireshark

Files that have been labeled as malicious by more than 20 engines.last_analysis_stats attributeSetting positives to a relatively high number is a way to focus searches on files that are likely to be malicious. However, the returned results may not include malicious files for which an insufficient number of third-party detection engines have developed detections. The development of detections is fully in control of the engines’ vendors and may depend on a variety of factors.A common factor prompting vendors to develop a detection for a specific malware implementation is the public release of a threat research report listing files that implement the malware. For example, on September 21, 2023, SentinelLabs released a report on the Sandman APT group, identifying the UpdateCheck.dll file as malware used by this group. Prior to this date, on March 15, 22, and 29, 2023, the number of engines detecting the file as malware was 5, 6, and 7, respectively. Shortly after the release of the report, this number spiked to 17 and reached 53 by September 29, 2023.Number of engines detecting the UpdateCheck.dll malwareConclusionsEffectively using VirusTotal for threat research requires a good understanding of the platform’s wide range of querying capabilities, the scenarios in which these capabilities return informative results beneficial to investigations, and the factors that may impact the completeness or relevance of the data returned.While the GUI provides an agile and user-friendly way to query VirusTotal, the API enables large-scale querying, offers expanded querying capabilities, and allows for retrieving more extensive information. Additionally, the AI engines that VirusTotal integrates can significantly speed up malware analysis efforts; however, their outputs should be considered as part of a broader analysis strategy as they may lack sufficient or useful information due to limitations in design or training data. Moreover, the extensive set of search modifiers provides flexible search capabilities, but the relevance and completeness of results can be impacted by false positives and false negatives.SentinelLabs and VirusTotal are committed to sharing information and insights that help new users gain a solid understanding of the platform’s capabilities, enabling them to make full use of the available VirusTotal features and conduct thorough investigations.. False Positive on VirusTotal in VirusTotal ; false positive submission in VirusTotal ; false positive submission in VirusTotal ; False Positive

Solved: LIVEcommunity - False positive VirusTotal

Electron-Builder Version: 22.13.1Node Version: 14Electron Version: 13.5.2Electron Type (current, beta, nightly):Target: WindowsI updated electron-builder to the latest version (22.13.1) in our project ( and the Windows NSIS installer got flagged as Trojan:Win32/Bulta!rfn by Windows Defender and Suspicious.Win32.Save.a by SangFor (similarly to #6334).The only significant changes between this version of our app (1.16.0) and the previous one (1.15.0), in terms of Electron/Electron-builder config, was an update of electron-builder from 22.11.7 to 22.13.1 and the addition of a custom protocol ( can see here VirusTotal scans:installer using electron-builder latest version (Windows Defender and SangFor false positives): after submitting a false positive report to Microsoft and rerunning the analysis on the above link, Windows Defender disappeared. But Alibaba and DrWeb, were added as false positives.installer using electron-builder previous version 22.11.7 (SangFor false positive only): our version 1.15.0 installer scan shows no false positive: even if it was using the same electron-builder version 22.11.7.Thank you for your help.

LIVEcommunity - VirusTotal False Positive (Generic.ml)

A specific engine, such as hispasec (hispasec_ai_analysis). [ENGINE]_ai_verdict [ENGINE]_ai_verdict:[benign|suspicious|malicious] Searches for benign, suspicious or malicious verdicts generated by a single Crowdsourced AI engine. VirusTotal introduces new engine-specific search modifiers ([ENGINE]_ai_analysis and [ENGINE]_ai_verdict) as new engines are incorporated into Crowdsourced AI. For example, with the addition of the ByteDefend engine, the platform released two new search modifiers: bytedefend_ai_analysis and bytedefend_ai_verdict.The AI search modifiers can be combined with other AI search modifiers or with any other modifiers supported by VirusTotal using the logical operators AND, OR, and NOT. For example, the search query crowdsourced_ai_analysis:"inject" AND crowdsourced_ai_analysis:"explorer.exe" can be used to identify files that perform injection involving the explorer.exe process. The results returned from VirusTotal include the PowerShell script da.ps1, which injects code from an external file into this process. This functionality of the script is documented in the summary generated by the Code Insight AI engine.da.ps1 injects code into explorer.exe Code Insight analysis of da.ps1 Another example is the search query crowdsourced_ai_analysis:"Shell.Run" AND behavior_created_processes:"powershell.exe". This query can be used to identify files that invoke the Run function of the Windows Script Host Shell object to execute the PowerShell process powershell.exe for conducting further activities. The results returned from VirusTotal include the Visual Basic script 297641663, which executes a PowerShell command using the Run function to download a payload from a remote server.297641663 executes powershell.exe Code Insight analysis of 297641663 Although the AI engines integrated into VirusTotal provide valuable insights, they should be used as tools to assist in malware analysis efforts, as part of a broader analysis strategy. AI engines are designed and trained to analyze code based on historical data, and therefore may not always accurately interpret novel techniques or highly obfuscated code in malware implementations. As a result, the summaries they generate may sometimes lack sufficient or useful information for analysts.Clustering With Search ModifiersThe extensive number of VirusTotal search modifiers enables analysts to query the platform in a practical and precise way. This allows for retrieving submitted artifacts and related information that are relevant to specific threats under investigation. However, false positives (where retrieved data is not related to the investigated threat) and false negatives (where relevant data is missing) can impact the relevance and completeness of search results. The way in which queries are formulated is important for addressing or alleviating the impact of these challenges. Combining search modifiers using the logical operators AND, OR, and NOT and refining. False Positive on VirusTotal in VirusTotal ; false positive submission in VirusTotal ; false positive submission in VirusTotal ; False Positive

VirusTotal and false positives - General Security

The threat actors do not disguise their malware as Ivacy VPN components. This suggests that the files that had been located in the Ivacy VPN installation directory before submission to VirusTotal may be false positives. An analysis of some of these files using a .NET decompiler revealed that they are indeed legitimate Ivacy VPN components.Building on the previous search, the query signature:"0E3E037C57A5447295669A3DB1A28B8A" AND tag:"peexe" AND magic:".NET" AND (NOT metadata:".pdb") AND (NOT name:"Program Files (x86)\\ivacy") further narrows the results to submitted executables that do not have PDB paths and had not been located in the Ivacy VPN installation directory before submission. The query returns one result, AdventureQuest.exe.This suggests that VirusTotal does not host other malware loaders, which are signed with the same certificate as AdventureQuest.exe and are likely linked to the investigated threat cluster. However, the extensive number of VirusTotal search modifiers allows for the identification of such loaders based on characteristics beyond the used code signing certificate. For example, querying VirusTotal for a code segment specific to AdventureQuest.exe using the content modifier leads to further malware that is likely part of the same activity cluster. We leave this as an exercise for the reader.Search queries and resultsClustering With Search Modifiers | LimitationsCertain aspects of how VirusTotal collects information on submitted artifacts, which users can query using search modifiers, may increase the likelihood of missing relevant findings in some search scenarios. This is particularly relevant given the third-party tools and functionalities that VirusTotal uses for collecting this information, such as sandboxes and detection engines. Each of these tools has specific limitations, which affect the quality and quantity of information VirusTotal collects and stores in its dataset. In this section, we highlight some of these limitations to help users understand how they impact querying VirusTotal with search modifiers.As mentioned earlier, VirusTotal executes submitted executable files (executables and scripts) in sandboxes to capture behaviors and artifacts visible only during execution. Additionally, most of the sandboxes VirusTotal integrates can identify MITRE ATT&CK techniques exhibited during execution. This is accomplished through a set of rules that map observed behaviors to MITRE ATT&CK techniques.For each submitted file, the sandboxes generate a report documenting captured activities, which are accessible to VirusTotal users. To facilitate systematic searching of sandbox-generated data, VirusTotal stores this data in an object of type file_behaviour. This object has a relationship to the file object that is directly related to the submitted file. Users