Submitting FPs to Qihoo

Discussion in 'other anti-virus software' started by nameless, Jun 26, 2015.

  1. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I thought this was a little funny. I have Qihoo's 360 Total Security Essentials installed. Every scan returns a slew of false positives, like practically every AV in history. Anyway, I submitted a bunch of them using Qihoo's web form. One of the EXEs I submitted was one I had created myself.

    After quite awhile (a couple weeks or so), I got email responses. The first funny thing was that all the response emails said that my submission was "identified as malicious" but, in the same message, said that the file should be added to the "Trust List" if it gets detected again. I know that English is not Qihoo's strong suit, but come on now.

    None of the files I submitted was a true malicious file. Not even borderline.

    The other thing I thought was funny is that I discovered that Qihoo uses VirusTotal.com to determine if a file is clean or not. I don't know if this is all they do (I would hope not). How do I know this? After getting the response emails from Qihoo, I went on VirusTotal to scan the EXE that I had created myself. Just for grins and giggles, to see what would come back. And the site told me that it had been scanned 5 hours earlier. I wasn't the one who had scanned it, and I created the EXE myself, and never gave it to anyone. So it must have been Qihoo who scanned it.

    Anyway, I'm bored so there's my story. :)

    Seriously thinking about removing 360 because it's just an annoyance at this point.
     
  2. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    What he was telling you is that it was identified as malicious and if they haven't added it to the cloud's trust list and you still want to run it, add it to your own trust list. Of course they'll use VirusTotal (who wouldn't?); did you expect them to decompile your executable to verify it's function? heh..would be kinda nice.

    Qihoo 360 is a great product; I think removing it would be a mistake (chances of getting worse are greater than getting better). I've never not had any AV program not flag my own exes as potentially malicious (follow all those negatives!) since the age of the file's reputation is a significant factor, especially if it isn't digitally signed by a trusted vendor. The QVM engine seems to be a thorough heuristics scanner, which is nice if one has doubts. (It flagged a lot of my 13-year old self-extracting chess game mods heuristically as well as my own compiled exes...can look at it as an understandable false positive that testifies to it's strong heuristic analysis.)
     
  3. JimmyJames321

    JimmyJames321 Registered Member

    Joined:
    Apr 6, 2015
    Posts:
    47
    Right, it's just a simple step.

    Couldn't agree more on that. Qihoo has used a very different business model in the very beginning, it doesn't rely on paid security products to survive, and yet it's very committed to giving high-quality AV products to it's users.
     
  4. GakunGak

    GakunGak Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    953
    How the whole thing works:
    http://corp.360.cn/ot/cloud-basedtechnologies.html
    As for FP, if it's not digitally signed, or it resembles malware-like behaviour or has suspicious code, it might get flagged as malicious because it is unknown.
    If it is safe, Qihoo should/will take care of it over time [manual submission via program or email].
    In the meantime, if the file acts normally in sandbox, you can manually trust it.
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I figured that's what they meant, but their wording makes no sense. Of course it was identified as (at least potentially) malicious; had it not been, I would not be submitting it as a false positive! At first, I thought they were telling me that they had analyzed it, and then concluded that it truly was malicious.

    Well they are an AV company with their own engine; I thought they would analyze it. Isn't this what happens when you send one to Kaspersky, Bitdefender, etc.? But to just see what other AVs already think doesn't make sense to me.

    The heuristics failed on my EXE. The program of mine that they flagged does literally nothing except load and exit. It's a dummy EXE. It's not even using runtime compression.

    FWIW they have added all my submissions to their own ignore list. :)
     
  6. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    Yes but it was doing nothing out of malice! :argh:
     
  7. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Clever, I'll have to try this in the future when I'm sending in fp's. Only vendor I've dealt with directly (haven't tried Qihoos products myself) that seemed to answer in a similarly vague fashion (along with taking quite a bit of time to even following up with a response) was McAfee. The responses I received from ESET were always spot on and they actually seemed to inspect the file themselves before answering. It's one of the reasons I have stuck with them even if they aren't getting the highest scores, they actually bother to look at what you send them.
     
  8. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    123
    Scanning with virustotal doesn't always mean they won't analyze your file by other means.

    But the response really doesn't make sense.