Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you deal with false positives from antivirus companies (Avast and ClamAV)? [duplicate]

Possible Duplicate:
Antivirus False positive in my executable

One application is currently getting detected by a false positive for virus by Avast and ClamAV (never heard of the latter).

I have contacted both and waiting for reply from them, but I guess that takes it time (24 hours ++ now). So what I'm looking for a resource to check if for part of my code is being falsely detected, I personally assume ME and the person who write a virus at one point simply have commen sample code?

I dont have the technical ablities so i could disable the AV and find what signture is triggering ( And i assume companies protect this information). So my question boils down to, is there any resource i can use to check part of my code is being detected?

Extra information:

  • Link to VirusTotals:
  • My application is digitaly signed, and "my" signature has a postive rating at least with MS and never heard anyone complain that its blacklisted.
  • My application does have background update checking and error reporting ( update check is done via http)
  • I have off course scanned my computer used for compiling for viruses ( Both MS and NOD32 )
  • Application gets detected as a false positive detection even when its just zipped and not in a installer.
  • Link to information about what my app is being falsely detected as (Thx to Flanfl )

The people voting to close, please actual read the topic https://stackoverflow.com/questions/3339136/antivirus-false-positive-in-my-executable, one is about Delphi coding. Mine is generic and has a 2 actual replies that helpful to my case.

like image 963
EKS Avatar asked Nov 28 '11 18:11

EKS


People also ask

Does Avast have false positives?

If you have a piece of software that you have been using for a very long time and Avast (or other antivirus) suddenly detects (and sends it to the virus chest) it there is a possibility it is a false positive. You can report this from within the avast Virus Chest.

What is false positive antivirus?

False positives (false alarms) are harmless files or URLs that are incorrectly identified as malicious by the antivirus program. Software programs that behave like malware or use identical file compression and protection techniques are susceptible to false alarms.

How do I know if my antivirus is false positive?

Head to the VirusTotal website and upload the suspect file or enter an URL where it can be found online. They'll automatically scan the file with a wide variety of different antivirus programs and tell you what each says about the file. If most antivirus programs say there's a problem, the file is probably malicious.


2 Answers

In the end, there's going to be no one technique that will solve your problem. Signing won't help, and changing names probably won't help; otherwise viruses would use those same ideas to circumvent security. Those AV products have found some chunk of code that matches the virus, and aren't smart enough to distinguish. I would suggest contacting the specific AV providers and getting them to whitelist you.

like image 144
drharris Avatar answered Sep 21 '22 08:09

drharris


Possible solution for workaround, I'm using hstart in the automatic update system, removing this should fix my problem.

EDIT: This "fixed" my problem, they where detecting hstart.exe...

Solution for others may be the following:

  • Take backups. Install the Anti virus program doing false detections (ClamAV and Avast in my case).
  • Scan you source code. If you're lucky it will show you what file contains the false detection (in my case it was a resource), REMEMBER IF IT FINDS THE FAULT IN THESE WAY ITS LIKELY TO DELETE THE "PROBLEM"
like image 25
EKS Avatar answered Sep 21 '22 08:09

EKS