New centralized False Positive Reporting site

This seems like such an obvious thing to do, rather than trying to hunt down individual vendor sites.. a small outfit has setup a website where you can report FPs about any vendor

Check it out..

http://www.falsepositivereport.com/

Spread the word

 

Thanks a lot.. Checking it out

 

Nice find.thanks for posting and something to bookmark for sure.

 

So it's like http://www.uploadmalware.com/ or VirusTotal, except the other way around? Very nice.

 

from their front page:

since it's in its infancy, this could change, but if the site doesn't actually collect & submit the FPs to affected virus labs on behalf of its users, it's of really limited utility.

like i said in the other thread where this site came up: the vendors have established protocols for dealing with user/software vendor-submitted FPs (whether said protocols are effective is debate able in some cases...) - unless the people running the site have commitments from AV vendors or volunteers who actually work w/the virus labs to treat it like an extension of their own official methods of contact, it's not going to do anything but serve as a clearing house for people to complain about false positives.

 

I feel exactly the same. The security companies should be *somehow* associated with the site to show they will receive the samples (officially).

 

I hope the site admins will respond to this, but I doubt that they have the resources to send files to AV vendors. FPs are not the problem of that site, its a problem for the AV vendors and its the AV vendor's reposibility to stay on top of all FPs irrespective of where they are reported.

Here is what I see happening - If an AV vendor ignores this website, their FP will stay in those UNRESOLVED forum for an extended period of time and that can only mean a PR problem. So its in their best interest to resolve all their FPs mentioned on that site.

Needless to say, all this only matter if that site ever catches on with the public. Only time will tell.

 

They've totally put themselves in the position to make false positive reporting their problem. They claim their site is going to be a clearing house of false positive reports in a centralized location. That's great. I don't see anything (as of right now) saying "before submitting here, submit a case to the vendor to ensure they have the sample of the FP and that they're aware of it." - If they're just having users post FP reports on a forum and saying "Golly, I hope someone looks" that says to me that they're not serious about what they're doing, and it's almost irresponsible, as they're indirectly asserting that they can directly influence or impact file convictions by having people post on a forum.

If a user reports an FP there but doesn't bother sending it to the vendor in question, they're not funneling it directly to the people who can actually act on it. So, unless the user is posting on this forum as a method of last resort to address an unresolved FP (or at least make people aware that said FP exists...), it makes no sense. I'm also pretty sure from a customer service standpoint that some of these companies wouldn't really appreciate having support related queries getting diverted away from their own official channels, either. It definitely doesn't make their lives easier.

As far as sending stuff to virus labs: handling distribution of submitted files wouldn't be terribly hard from an automation standpoint. The vendors' email submission addresses rarely change (for the ones who have them anyway), so it's just a matter of flagging the appropriate vendor via user interaction, and then having the system dump it in an encrypted archive and send it off to the hardcoded address, with the user's input directly placed in the body of the email.

There might be TOS violations for using automated systems to submit samples and/or FPs without asking first.

Just my $.02, of course.

 

Hi, I am April Russo, manager of the False Positive Report community.

Before setting up the site, our founder discussed his idea with his contacts within the security and antivirus industry. They all thought it was a great idea and were willing to cooperate.

Our site is less than a week old and so far we have had reports related to 2 different antivirus companies which were responded to by representatives of those companies.

They all know we are here, they all know we have a section for them, and most of them are monitoring the forum for reports related to their products.

We are in touch with them and getting feedback on how to improve things.

Yes, we did consider how it would look if an antivirus company chose to ignore us. We figured they might in the beginning, but as the site grows they won't be able to avoid us and will have to respond to the reports on their products, if they care about their reputation.

But getting all the companies to deal with the false positive reports is only part of our goal. Ultimately we want prevention...less false positives.

Too many innocent developers and small businesses are hurt every year by the plague of false positives. Merely dealing with the current reports will not change that. Finding out why it occurs and taking steps to prevent future false positives will make the world a much friendlier place to the small business owner and his reputation.

We also eventually hope to be able to provide the consumer with statistical information about the antivirus products they use or are considering purchasing.

 

I much prefer send FP to AV Vendors
A-Squared
Email: fp@emsisoft.com

Ad-Aware
F/P Forum: http://www.lavasofts...hp?showforum=93

AhnLab
Email: e-support@ahnlab.com

Antiy Labs
Email: michael.wang@antiy.com

ArcaVir
Email: pomoc@arcabit.pl
Email2: support@arcabit.com

Avast
Email: virus@avast.com
Info: http://support.avast.com/index.php?_m=know...199&nav=0,1

Avira AntiVir
Submission: http://analysis.avira.com/samples/

AVG
Email: virus@avg.com
Info: http://forums.avg.com/in-en/avg-free-forum...show&id=395
Website False Positives: http://www.avg.com/w...e-rating-report

BitDefender
Submission: http://www.bitdefend...in/contactEmail
F/P Forum: http://forum.bitdefe...p?showforum=108

ClamAV
Submission: http://cgi.clamav.net/sendvirus.cgi

CA Technologies - eTrust
Submission: http://www.ca.com/us...mitmalware.aspx
Info: http://www.ca.com/us/securityadvisor/newsi....aspx?cid=33514

ComboFix
Submission: http://www.bleepingc...e.php?channel=4
F/P forum: ComboFix Discussion (Private Forum)

Comodo
Submission: http://www.comodo.co...rity/submit.php

Dr. Web
Submission: https://vms.drweb.com/sendvirus/

ESET / Nod32
Email: samples@eset.com
Info: http://kb.eset.com/e...tent&id=SOLN141

F-PROT
Submission: http://www.f-prot.co...itive_form.html

F-Secure
Submission: https://analysis.f-s...rtal/login.html

Fortinet
Info: http://www.fortiguar...ispam_info.html (bottom of page)

Ikarus
Email: false-positive@ikarus.at

Kaspersky
Email: newvirus@kaspersky.com
Submission: http://support.kaspe...b/helpdesk.html
Info: http://forum.kaspers...showtopic=13881

MalwareBytes AntiMalware
F/P Forum: http://forums.malwar...hp?showforum=42
Info: http://forums.malwar...?showtopic=3228

McAfee
Email: virus_research@avertlabs.com
Contact: http://www.mcafee.com/us/threat_center/dis...ispute_form.asp

Microsoft Essentials and Windows Defender
Email: windefend@submit.microsoft.com
Submission: http://www.microsoft.com/athome/security/s...isv/fpform.aspx
Info: http://www.microsoft.com/windows/products/...der/fpform.mspx

nProtect
Submission: http://global.nprote...t/contactus.php

Norman
Submission: http://www.norman.com/support/fp/

Panda
Email: falsepositives@pandasecurity.com
Contact: http://www.pandasecu.../about/contact/
Info: http://support.pandasecurity.com/forum/vie...f=16&t=2883

Prevx
Contact: http://info.prevx.com/service.asp

Quick Heal
Info: http://www.quickheal...n/submit_fp.asp

Sophos
Submission: https://secure.sopho...upport/samples/
Info: http://www.sophos.com/support/knowledgebas...icle/35504.html

Spybot S&D
F/P Forum: http://forums.spybot...isplay.php?f=16

Spyware Terminator
F/P Forum: http://forum.spywareterminator.com/Default...topics&f=42

Sunbelt Security (VIPRE / CounterSpy)
Submission: http://www.sunbeltse.../falsepositive/

SuperAntiSpyware
Info: http://www.superantispyware.com/supportfaq...lay.html?faq=28

Symantec / Norton
Submission: https://submit.syman...false_positive/

Trend Micro
Email: trendlabs@av-emea.com
Submission: http://subwiz.trendm...Wiz/Default.asp
Submission2: http://esupport.trendmicro.com/support/con...submitonline.do
Info: http://esupport.trendmicro.com/Pages/How-t...mer-suppor.aspx

VBA32
Email: newvirus@anti-virus.by

VirusBuster
Email: support@virusbuster.hu
or
HERE

 

Thank you for the list of links and email addresses.

I will not stop anyone from reporting where they feel is best. Some companies have a good track record of responding to FP reports. Some do not. Some will even refuse to accept a FP report unless you are a paying customer (shuts out developers trying to report FP complaints they get from their customers) Some free versions of AV's restrict their users to reporting issues on a user-to-user support forum that isn't monitored by any of the AV company's employees. Some companies don't want any mention of their FPs in public because they don't want anyone knowing how bad their products really are.

And what about site mis-ratings? Ever been accused of being a site with malware downloads when you don't even offer any files for download? Ever had your site blocked because someone else that uses the same hosting company as you has malware on their site? Ever had a red or yellow McAfee Site Advisor rating on your site with no explanation of why? Ever tried to have one of those corrected before? It's not that easy, and even if you are successful, there is no saying how long before you have another mis-rating issue.

Things like this affect innocent small businesses every day, blocking their customers, ruining their reputations, and interfering with their ability to keep a roof over their family's head and feed their kids.

We are not going anywhere. We plan on making a difference. We are ready to work hard for as long as it takes. And we don't plan on being compensated for that work with so much as one thin dime. Our reward will be a world with better antivirus products that doesn't "mow down the children while cutting the grass", as a friend of mine so eloquently put it.

By the way, most of your links are broken and do not lead where you might expect them to. You might want to fix that.

 

my pleasure.
I am not trying to discredit your site,but IMO that's optional for customer.I have used a different anti-virus 3 times. First KIS,NIS and now AIS. They are very friendly in dealing with FP's.
anyway, I don't use site rating extension such WOT,McAfee,LinkScanner etc.

 

When you are a software developer or webmaster, what you use to protect your machine sometimes matters less than what your potential customers use. Even if you think site rating extensions are useless and would never use one, it won't stop your site from getting blocked by one or more services that your potential customers may swear by. It's a situation where you are at the mercy of the software that other people run because you can't control that.

And individual users are not the only ones that use this software. Have you ever seen that little link on a search result in Google that says "This site may harm your computer"? And in the latest news, WebSense has partnered with Facebook to warn users about "bad sites". Things like these have the potential to hurt your website and your business, and destroy many years of hard work almost overnight.

 

Very interesting. You know it could also be a good resource for a quick validation for users who are not sure if a finding on their AV being reported is truly a threat or an FP. They can hit that central site and lookup if other are reporting the same file. I think that could be a good thing to ease someone's mind while they wait for the software vendor to respond.

 

As an update, we've now got our hosting, staff, graphics, and procedures worked out and are ready to rock 'n roll. The new site is at http://falsepositivereport.org (though the old domain will get you there). For those using RSS feeds from the old domain, I set up a reverse proxy for them, so they should have started working yesterday.

We feel this project is very important. If nothing else, it is documentation, and a good safety net.

 

The re-direct doesn't appear to be working. I get a warning page about being unable to modify header information.

 

Redirection was a script error, fixed a long while back. Sorry about that. It was my mistake, I must admit.. a hasty edit ;o

Problems with the site migration are now fixed, we're on our third server, and all is finally ok, lol. Do not get me started on the state of the shared server industry, I'd have too much to say. However, I do have this to say: We're good to go.

If you had trouble registering due to 'spam' blocks, that is now fixed too. This existed for a few days.

We hope to, at the very least, document in near real-time these occurrences. Maybe we never make a difference, maybe we do. However, I feel it is my duty to do what I can to protect the innocent.

EDIT: I feel, unlike above poster, that the security vendors who makes these MISTAKES, should -- at least -- monitor a forum via RSS feeds (or maybe even set up google alerts) .. as opposed to making all those affected 'come to them' and putting more burden on the victim. Since it is their job, I feel it is their moral obligation to make sure they are not hurting innocent businesses (families) to the best of their ability. This is not some optional thing, it should be required of them, all in my opinion. Heck, I monitor 20 RSS feeds in my spare time, they can't be bothered to monitor FP feeds? I would hope they care more than that, and believe they do.

At what point does sticking your head in the sand count as negligence? I am not sure on that one.

 

I see two issues with this:
1) Malware writers can submit "FP"'s, right?

2) Because of one all of them will be rechecked by vendors before they're added.

I like the idea though and it definitely adds a central area where they can recheck. It's more convenient for them.

 

Thanks for the feedback.

We at FPR try to do our due diligence. I've rejected numerous 'complaints' and other false positives. We require a VirusTotal analysis too, per submission rules. We try to only accept obvious and egregious examples, as no borderline cases need to be presented to show what I believe is a very serious problem. Such cases are disallowed by our submission rules, in fact. No bundled cases, no misclassifications, etc..

FURTHER EDIT: Now, one thing we will improve is standardizing our submission forms, so that vendors get the data in a more standard form. We'll do what we can. But, there is not that much data to convey, so it is not a huge deal. We also encourage presumed victims to also report to the security companies.

 

Makes sense. I definitely support this project.

 

Thank you . Naturally, not all the security vendors are eager to have their mistakes plastered in public. One security vendor employee called it the 'shame and name' project, lol. It is not our intention to shame anyone though. We hope no security vendor is so bad as to be ashamed. Nobody expects perfection, we all understand how hard the job of the security companies is. The FPR site states this quite clearly.

Indeed, I wouldn't want my mistakes plastered on a board either. However, I feel transparency is important. It lets consumers know who cares, and who doesn't. Without this, a 'bad' security vendor might use FPs as a way to scare users into buying their 'cleaner', for instance. Now, that's a hypothetical, but my point is just that transparency is good for everyone --- even if it 'hurts'.

The critics will say, "but we can build a better system doing it this way.. or that way.." .. The skeptics will say "it will never work" ... The cynics will say "what is your ulterior motive?" . LOL, I try not to let them bother me.

I do have some aces up my sleeve, if ever they are needed. What does that mean? Well, I just mean that I am determined to get justice. As with our courts of law, it is better 10 guilty men go free than 1 innocent man be falsely convicted. Some security vendors take the more conservative approach, and that is something I applaud. I'm not naming names, as I don't want to take sides. Ironically, in my opinion, usually the more aggressive tactics do little to combat malware anyway.

 

If they feel they have something to be ashamed of maybe they should realize there's a problem.

I don't see how this project can hurt and companies should take advantage of it.

 

Good info, thanks.

 

@jcollake!

Something good comes out of something bad?
https://www.wilderssecurity.com/showthread.php?t=290710

I'm just curious about if you got the idea to develop a service/site like this because of all the problems you talk about in the thread above?

I'm sorry, but I needed to ask because I remember your name from the SiteAdvisor thread

 

Like many 100% legit software vendors (no bundles, no malware, no BS), it is true that I have dealt with false positives, site mis-ratings, and other problems for many years. In fact, I've had 3 false positives in the last couple months on uncompressed, unwrapped (not protected), non-bundled, digitally signed software. I have had several other false positives on uncompressed old freeware of mine that exist to this day, forcing me to remove them from the site until resolved. I say uncompressed so that people do not think it has anything to do with my old executable compressor, which has been moved to a separate domain. If I were to count, the number of issues I've had (for no suspicious reason) is unbelievable, and has seemed to only grow. Fortunately, I had the direct contacts needed to get my issues fixed, as some of the forms the vendors provide do not get much done (sorry, it is true in some cases). Not everyone has this opportunity. See below as to why I have access to these security vendors.

However, that older personal problem (3 repeated mis-ratings by that company in a row, 4 total), and others, are not something I've documented on this new site, nor do I intend to. That incident you referenced actually got even worse, but I will spare the details. Needless to say, having to 'fight' for what I perceived was my existence, after running an unquestionably clean shop, nearly brought me to the brink of psychological and financial collapse. That company later DID resolve the issue and it has not recurred since. This was right as that company was taken over by another, so perhaps things were finally changing .

New problems I have, I will report, as I hope everyone does.

Latest status: I've cleaned up the mess that was the home page some (much more work to do). I've refined the methodology and report formats, as they need to be clearly defined and adhered to.

What we DO NEED are a few more qualified volunteers to simply do things like make sure submissions adhere to the guidelines, and weed out any potentially invalid submissions. I generally give suspicious submissions 48-96 hours to provide additional information before deleting them.

The site is in beta, changing fast. Some of the criticism I've received has helped to shape the site, but most of these changes were coming anyway. It is a very fluid thing, consider it 'beta' at present .

The idea itself I had during a discussion with security vendors on an IEEE working group on combating malware, in which I proposed this, then 'just did it'. Why am I on such a list? Because I author an executable compressor and therefore want to make sure all security vendors can 'scan inside' and/or detect illegitimate licenses of it (a new project being worked on). I have always provided all security vendors who ask with free licenses and full source code to my executable compressor's decompression stub, to help assist them. Now, this executable compressor is used on the likes of Google Desktop, so don't think it is somehow inherently bad. In fact, I intentionally make it very easy to scan inside. Further, on the topic of the executable compressor, trial downloads are limited to some pre-screening and all purchases require authentication. The new project we are working on to identify legit licenses from bad ones will aid in reducing abuse too. Just like any developer tool, it sadly does get abused, but I'm doing what I can to stop that.

Note that the IEEE has *nothing* to do with this site, does not endorse it, etc.. etc... that's just where the discussion started, as I was trying to get some of my latest FPs fixed and finally got fed up again with how often they were occurring.

I have not used my compressor on my own software in many years because I have no need for it, therefore I certainly do not believe it is has any bearing on my individual problems, at least any time in the last few years. I believe my issues are typical of any other vendor. Some vendors have had problems much worse than mine even, especially those who do things that increase their risk factor (like protect their software).

I believe this TRANSPARENCY is essential to fixing the problem, and thus hope to implement a system that provides such in a fair and effective manner. It will also serve as a great safety net. I have no axe to grind with any specific company and will treat all the same. After all, whoever was at whatever company a couple years ago is probably gone now, so it would be absurd to hold any grudge. Some security companies have already participated in the forum, directly, even when it was a mess in its earliest days. I want to commend them, but won't even do that here, as I must remain neutral.