How to deal with the Virus False Positive when developer protect the application

To protect software source code, Intelligent property, Developer may select and use the different protection tools (Packer, Encryptor, Protector) to protect their software application, with multiple encryption technologies: compression, obfuscation, encryption, virtualization, to defend the reverse engineering and prevent the application from decompiling and debugging. In some cases, these encryption/protection technologies may trigger the false positive: the anti virus installed in the user's machine may scan and flag the protected application as Malware, suspicious or virus infected. this is called "false positive" or False alarm, it may bring some negative impact to developer when they promote their application to potential users.

The reasons:

The reasons which the anti virus flag the protected application to be infected or suspicious malware are as follows (due to several reasons):

  1. The mechanism and detection criteria of Anti virus to scan and identify the virus and malware.

Anti virus uses several ways to scan, detect and identify the potential malware or virus infected application, includes:

Signature-based (signature here means the string of code of typical malware code which both could be included in legitimate application and in malicious, and these string of code stored in the anti-virus database), anti virus uses these "signature" to scan and cross check the file in your machine and compare with their database.

Heuristics-based anti virus spot suspicious characteristics in new threats and modified versions of existing threats. If a certain percentage of any program’s source code matches anything that is labeled as a threat in the anti virus vendor’s heuristics database, it will be flagged as a possible threat or suspicious. This allows antivirus to catch new malware variants, but it can also result in false positives.

Behavior analysis. more and more Antivirus uses machine learning to identify malware based on behavior rather than signature (what the file’s code looks like). This is especially helpful for detecting newer malware threats that aren’t in a database yet, but sometimes programs are flagged for behavior that is completely legitimate. Networking applications, product key finders, and other similar software are often flagged as malware because they act similarly to popular malware files.

PUP (potential unwanted program) blockers, Many adware and spyware blockers flag ad-supported software and bundleware. If the software you’re trying to download runs ads, offers to install other third-party programs (for Virbox Protector, it may check the license or download license update), or tries to install a toolbar in your browser, there are high chances it’ll be flagged as a potentially unwanted program (PUP), even if it is safe and legitimate.

Due to multiple encryption technology be used in software protection and encryption, which to make harder to analysis, reverse and decompile the protected application and prevent application be cracked , anti-virus failed to identify the characteristic of the protected application, in some cases, the anti virus fail to detect the signature of application, so the anti virus will treat the protected application to be suspicious and flag to be malware, and cause false positive.

you may also refer the article of Microsoft for: How Microsoft identifies malware and potentially unwanted applications here:

  1. The virus or malware maker also use the same encryption technologies (Compression, obfuscation, encryption or virtualization) which packer, encryptor used to protect software to hide their virus characteristic or malicious code prevent from being detected by anti virus. In some cases, the virus or malware maker use the packer tool available in the market to protect their malware directly. You also can find the article which introduce which protectors are popular be used to protect the malware, etc. The protection mechanism and technology are same, the "signature" of protected legitimate program and protected malware are similar, only the objective is different: the software developer uses the encryption/protection technology to protect the Intellectual property of legitimate file, the malware maker uses same technologies and protector to mask/hide their malware, and the anti virus may be confused, so your application will be mis-identified to be malware.

  2. The anti-virus installed in your machine may not update their malicious characteristic database frequently and confused and failed to distinguish the legitimate application and malware, even you have joined the whitelisting team of the anti virus.

The Solutions:

False Positive Submission and Digital signing to your application

For developer who use Virbox Protector or other protection tools to protect their project, in case the anti-virus software give a false-positives (false alarm) to your protected application, here are the options to solve this issue:

1. Submit the false Positive to Anti Virus software

submit the application sample to service support of anti-virus company and ask them to support to solve the open issue (flag false positive), usually it will take few days for them to identify the sample, if it is actually a legit application, they will remove the detection and update in their database. Here we list the contact information or the web link to submit file sample to some of most popular anti virus companies. you also can search the website of anti virus which your machine installed and found relevant submission form or email by searching "false positive".

Part of popular anti-virus web link to submit false positive or email submission:

Avast:

Avast provides a service named "Avast file whitelisting" to software developer to reduce the risk of "false positive", visit here for detail:

​ for Joining & Registration the whitelisting Program:

​or visit Avast forum (Virus and worms) at:

​ there are some discussion in practical case to how to solve the false positive in different systems in the Avast forum.

Avira:

Avira has described how to deal with false positive in below website:

Developer can submit the false positive file here:

Note: click to select "Suspected False Positive (Not malware) option.

BitDefender

Developer can submit the wrong detected file sample here:

Comodo

Comodo provides following web link to their user to submit false positive file, website and malicious file or suspicious website.

ESET

Read ESET description for how to submit the false positive to ESET analysis, then you can submit the wrong flag file sample here:

Kaspersky

Kaspersky provides a "Threat Intelligence portal" to user/developer to submit file to identify

For how to submit a file to analysis in above weblink, pls find the instruction in below link:

McAfee:

McAfee describes how to submit your company software to be considered for whitelisting in below and developer need to read the description and you need to have FTP account and notify submission to Mcafee at this email: datasubmission@mcafee.com

https://service.mcafee.com/?locale=en-IN&articleId=TS102751&fromSearch=true&page=shell&shell=article-view

or, find a description for how to submit false positive in below weblink

https://service.mcafee.com/?locale=en-US&articleId=TS103032&page=shell&shell=article-view

Symantec:

Developer can submit their file sample for False positive here:

Symantec has been acquired by Broadcom several years ago. for other service request, you can visit their support website here:

Norton:

Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious, you can find the instruction and entry to submit in below:

​ and you can submit false positive sample file in below:

Windows Defender submission:

​ Specify attached is a False Positive flagged.

2. Digital signing.

Secure your executable and sign it with a valid certificate. For instance, the signature by Verisign or other similar level of digital certificate are well accepted by anti-virus company.

Use the Digital Signing, the most of easiest way to identify your file is legitimate and good file, and to let the Anti-Virus to know where it came from and who created it. So, To build trustee in a file is to check its digital signature. The executable file without digital signature will have high possibility of being identified as suspicious or low trusted file by anti virus.

For software developer who select a protector to test and evaluate the security performance, they may also want to test with different anti virus to check if false positive may happen. Here are some places that consolidate many anti virus and provide online scan service to the protected application and let you know which Anti virus companies will flag a False Positives to your application:

http://virustotal.com/ http://virusscan.jotti.org/

https://www.virscan.org/

The Benefit to developer using above website is to have false positive result quickly and save time, no need to install many anti virus in your machine to scan. In fact, developer may also submit the application during software testing to avoid the false positive to your application.

And, we have to remind you be careful to use above website to scan your protected application online. because some developer still concern to data, personal info, and source code leaky and security risk to submit application to Virus total, and developer need to be careful to think about potential security risk before submission. Especially for the developer in corporate network. And do not violate enterprise security regulation.

For what we recommend is either to join the whitelisting program of anti virus company or use the digital signature which to show your application is "good" application with good "reputation" to the anti virus.

During false positive testing, if the anti virus flag your application to be malware or virus infected. you may temporary to add your application to be "whitelist" or "exception" or "allowed list" to continue to evaluate the security performance. and submit your file sample to the anti virus website later.

Last updated