Repository to help security vendors deal with false positives
False Positive Center
Repository to help security vendors deal with false positives, improving their detection engine, and centralize information for software developers making it easier to submit false positives to AV companies.
The repository lists the emails, and websites security vendors (antivirus companies) used to receive false positive reports. it's an effort to facilitate communication between software developers and security vendors.
A few things are basically required by all security vendors, and would likely lead to better communication. So make sure your email includes the following when sent.
The detection name
Product (when applicable, some vendors have multiple different AV product at virus total, list which produced the detection)
The VirusTotal link, or OPSWAT
VirusTotal (Important)
A flagged detection on virustotal does not mean, that the commercial version of that security vendor will detect/flag the file the same way. Security vendors usually configure their VirusTotal implementation to be more sensitive/differently than their actual product
VirusTotal's antivirus engines are command line versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioral analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/aggressiveness level than the official end-user default configuration.
[*] Emphases not present in the original text, And added for clarity.
To decrease the chance of false positives you can consider submitting your program to a Antivirus companies whitelisting program, In the list below (just started 30th January contributions encouraged), Most programs require registration and a manual approval process.
There could be a scenario where an antivirus/security company is not responsive, but to be sure that the issue is not on your end (especially if you're sending emails from your own domain). Check that your DNS records are set up correctly for good deliverability. Add an SPF, DKIM, and DMARC to your DNS records. Some AV companies may ignore emails that are not set up correctly, and some will send a response email with an error, depending on how the individual company is setup.
To check if your DNS is configured correctly, as well as SPF, DKIM, and DMARC, use the Google Check MX tool.
To do a final verification if the email was verified correctly in SPF, DKIM, and DMARC, send an email to a secondary email account and take a look at the full record to see if it passed. You're looking for this:
If you did find an error in your configuration, consider resending the emails you already sent before the fix.
TIP: while SPF, and DKIM are relatively simple to setup, you can speed up the DMARC setup by searching for DMARC generator with your favorite search engine, to use a wizard to generate it instead of doing it manually.
Contributors
Yaron Elharar, Pavel Moiseenko, Justine M.,sln162, Kai Kramer, you?..
Special thanks
Ana Tinoco from VirusTotal support, and the VirusTotal support team for making the initial contact information list. The hope of creating better communication between software developers and security vendors.
Final notes
While I tried to maintain the accuracy of the information here to the best of my ability, it may be that you encounter inaccuracies as things naturally change over time. If you do find any inaccuracies I encourage you to use a pull request, report an issue, or sending me a message.
