NirBlog

165 Responses to “Antivirus companies cause a big headache to small developers.”

1. Mr Says:
   May 19th, 2009 at 6:48 am

   I constantly experienced this problem of false positives. It's really crazy...

   Even the "Kaspersky removal tool" is detected as a trojan by Mcafee. Lots of programs I need to monitor computer activity, or cleen malwarse are detected as trojan and it's really difficult to use them. And of course some of the Nirsoft programs that are my favorites.

   But what can we do ? For me it's a further divide between two opposites conceptions of computering.

2. Rarst Says:
   May 19th, 2009 at 8:48 am

   My scripts in AutoIt (AutoHotkey is spinoff of it) get false positives all the time. I understand that this is terrrible issue for developers with large portfolio of utilities.

   Still as user - if specific malicious code is similar in legitimate app and malware I'd prefer it detected rather than not detected.

   Overall it is one of those issues that don't have clear and easy solution. Antivirus developers are unlikely to cooperate on global scale and dealing with them case by case is impossible.

   I hope you will (if not already) find convenient method of dealing with false positives feedback and it is not too much of discouragement.

3. The MAZZTer Says:
   May 19th, 2009 at 9:29 am

   I agree this is a pain, whenever I plug in my thumb drive into another computer I find Norton happily deleting files from it for me. So now I tend to disable any AV before plugging it in (a lot easier).

4. Nick Says:
   May 19th, 2009 at 11:16 am

   I also develop a little in VB6 on the rare occasion, once trying to write an update component into some custom software I wrote for a company I used to work for.

   Unfortunately no matter how I tried, I couldn't find a way to code it without having it detected as trojan/downloader by at least Symantec. Even "excluding" the file in the software didn't work _for long_ and I was never able to find a way to report the issue to Symantec. Out of curiosity I checked and the file was also "infected" by McAfee or some other program they had at the time.

   Was it the code itself, or that it was hard-coded for my domain, I dunno.

   Surely the manpower for an anti-virus company doesn't allow to check all software. Maybe they come up with a few things to look for, like however my update code looks to their detection engine, then blanket this as a downloader trojan for all files scanned, and EXCLUDE the big software vendor's apps that could match this criteria.

   Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.
   And you are right, they justify this on the technicality that the software *could* be used maliciously.

   But it doesn't mean they need to be so deceitful about the detection.

   Also, the absolute worst part about a false positive, is that it trains the half-way competent user or even a computer tech to always disable the anti-virus when something like your password utility is being used...

   ...so what if that utility was infected by a real threat? Perhaps a computer tech who is retrieving a product key or password had something infect all the .exe's on the flash drive being used, what then?

5. Rarst Says:
   May 19th, 2009 at 11:58 am

   >Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.

   Nope, high percentage of false positives is sign of low quality. All popular antivirus tests check that and count into their rankings (not that those are absolute and objective).

   It's not intentional, just the way things work when it is hard to tell apart malicious code from legit.

6. rjl Says:
   May 19th, 2009 at 12:21 pm

   THANK YOU for posting this. I hope something is done about this. The "little" guys always get the shaft. We write "entertainment" software that is flagged as viruses by all of the major players. We've added FAQ topics, Discussion Forum posts and readme's to explain that our software is NOT a virus. In the end its killing our business, as users dont understand the different between Annoyware or Fun/Joke program vs. Viruses. We have contacted McAfee and Norton - but no luck. Here are some topics we've added (will provide a link back to this blog)

   http://www.rjlsoftware.com/support/faq/sa.cfm?q=209&n=61

   http://www.rjlsoftware.com/support/faq/sa.cfm?q=21&n=68

7. MK in SF 666 Says:
   May 20th, 2009 at 4:23 am

   The anti-virus system I use provides an email address to its registered users for reporting false positives.

   I'm happy to report that *every* time I've submitted a file or URL to a download, I've received a response within eight hours that stated, "Thank you--we have investigated and determined this is a false positive, and it will be corrected in the next set of virus definitions."

8. funy Says:
   May 20th, 2009 at 6:56 am

   This used to drive me mad when i used to ask a client on the phone to install a remote connection application like teamviewer or aamy admin and it would get thrown straight into quarantine, which then required me to talk them through authorising it which with some clients who were not at all IT literate was a pain. Also had a few problems with F/P's with some of your tools but it would appear that Sophos (which i work with most) doesnt pick them up.

9. Jim Says:
   May 22nd, 2009 at 12:59 am

   Well it has to be said, that if the users are so stupid that they cannot tell the difference between a legitimate program and a virus, then perhaps they shouldn't be using them.

   I myself have really appreciated the software that you have put together and use it a lot. It helps me to irons out problems in networks and on hard drives.

   Another issue is the general issue of the proliferation of antiviral programs. Perhaps the crappy ones need to be boycotted a little more with a good amount of blogging.

   In the end, nothing beats good old fashion common sense and a bit of education.

   Keep up the good work and invets in a mail filtering programme with a generic reply.

   Another developer with similar issues...

10. Bunkerman Says:
    June 2nd, 2009 at 8:32 pm

    Avira Antivir 2009:
    'SPR/Tool.KeyView' [riskware].

11. rabbit Says:
    June 15th, 2009 at 7:07 am

    "My scripts in AutoIt (AutoHotkey is spinoff of it) get false positives all the time. I understand that this is terrrible issue for developers with large portfolio of utilities."

    The same thing happens to me... I think Jon (AutoIt Developer) said that the main autoit interpreter was classified as a virus, so almost any script made with AutoIt will also be classified as one, as it includes it.

    He is trying to work with the security software providers to sort out how to detect autoit programs as viruses, so hopefully...

12. alexsupra Says:
    June 15th, 2009 at 2:16 pm

    hi. i'm service engineer and founder of usetools.net project about free software.
    experiments and test based on real practical usage show that antivirus software applications become more and more useless, consume the great amount of pc hardware resources (sometimes users cant use their workstation beacause of single program with service purpose - "antivirus"), often damage users or system software ("false positives") and even can destroy system completly without any reason.
    so lets determine what are the main features of virus-like (trash, harmful, dangerous, etc.) software:
    1. consuming more or less system resources like memory and cpu for running them self without any possible users control;
    2. creating a lot of startup items represented by executables in system registry run-sections or creating one or much more services;
    3. allways updating, downloading something and uploading some data about local system thus sometimes consuming a lot of internet traffic;
    4. show various information like annying commercial advertisments;
    5. providing remote access to users workstation.
    so, mentioned above is about viruses and... the first of all and largly about commercial antiviruses that use these methodes for getting more and more profit without real thinking about end-users or software developers.
    besides that computers and networking service job experience shows that in most cases when real viruses presents in system antivirus programs can do nothing. no detection or no real helpful action in case of detection. thus popular commercial antiviruses are absolutly useless in most cases and even dangerous in some cases.
    the most evil commercial products according to service engineering experience are: avg, nod32, avp (kaspersky), threatfire.
    the most trully useful and really powerful solution is clamav scanner cause it never lies (cause that is free and open source software) and nowadays has great virus detection level.
    it has now "monitor" but that is advantage cause when antivirus monitor works that mean antivirus monitor works on your pc but not you. to control system in real time security task manager can be used like anvir (freeware). for networking security real network firewall can be used like ghostwall (freeware). all that tools must be preconfigured and used all together as one security solution that virus problem can be solved without bying other super-viruses that have the single aim to get your money and thats all.
    thank you nir, for your the greatest free software tools.
    the are often used in our free software project cause they are extremly useful!
    have a nice day!

13. kc5kdw Says:
    June 16th, 2009 at 2:07 am

    I work as an IT Tech Support rep at a software company. Our software uses Microsoft SQL Server as its database. Over the past year Mcafee has been a horrible problem for us. It seems they block the SQL server right out of the box. You have to buy their higher corporate version in order to not have it happen. Our clients are constantly getting an invalid database connection, because the DB is blocked. What makes it unsafe. It requires the use of two ports to communicate. Firewalls and spyware companies seem to have taken over the computers. They slow them down, and often don't catch half of what is actually spyware and viruses. It's sad, but I find it easier and safer to run without all that junk running all the time. I have found other ways to be preventative.

14. ncdave4life Says:
    July 24th, 2009 at 2:40 am

    Which AV companies are best/worst in this respect?

    I assume that McAfee and Norton/Symantec are terrible. But what about the rest: Grisoft AVG, Avast!, AntiVir, BitDefender, Kaspersky, etc.? Are any of them reasonably responsive to false-positive reports?

    I have some AV recommendations on my web site, and I'd like to add this info to it:
    http://www.geeksalive.com/links.html

    Thanks,

    Dave Burton
    Geeks Alive! Computer Rescue
    Burton Systems Software
    Cary, NC USA
    http://www.burtonsys.com/email/

    -----

    Hey, Nir, do you know that your blogger comment-posting system is broken?

    I tried six web browsers. Only one of them works.

    In Firefox 3.0.5, Safari 3.2.3, Chrome 2.0.172.37, and IE 8 under XP Pro, after I select my TypePad ID, your page brings up a Preview and Word verification box, but there's no place to enter the verification word, and, in fact, the picture of the word is clipped off at the bottom.

    In IE 8, there's the added annoyance that the scroll bar doesn't work in the preview box.

    The Off-By-One browser doesn't work, either.

    (Also, in some of the browsers, the Preview button does not work; it produces an error message, "Your request could not be processed. Please try again.")

    I posted this using Opera 9.52, under which the mouse wheel scrolls the box to expose the place to enter the verification word and the "Post Comment" button. Opera seems to be the ONLY browser that works to post a comment here!

    Dave

15. PeterPC Says:
    August 28th, 2009 at 5:04 am

    This is so annoying - I try to help out reinstalling some guy's PC.. getting the keys out of the old and more or less crapped windows installation - and almost before I start produKey I'm told that this MUST be a generic virus trojan or whatever - this time it was McAffe
    Could we make a petition list or somethin ? - would that help ?

    Peter

16. edwin Says:
    August 30th, 2009 at 5:23 pm

    this is really pissing me off. I have to disable the antivirus prog to regain the lost e-mail password of a friend. Had this with f-secure and trendmicro.

17. packmule Says:
    September 1st, 2009 at 2:48 am

    Great program. So little, so easy, so fast and still so effective.
    You need such program once a year or less, so put your virus defender software on
    off state (disable it) and read your key. next boot its on again. and everything is fine.

18. dbur Says:
    September 4th, 2009 at 10:14 am

    I've been using a simple a time sync prog for about 15 years (AtomicClockSync). Just a couple months ago Trend Micro started calling it a trojan or virus or something (Can't remember exactly which right now). I've also been using Trend for many years without ever seeing this before.

    I reported this to Trend and their ultimate response was 'Stop using this program. It is not compatible with Trend Internet Protection'

    I ended up just adding it to the exceptions list.

    I can see why this is unfair to the small SW developers. It seems they should band together for some class action lawsuit that gets them more attention from the AV companies.

19. Pete Says:
    September 4th, 2009 at 4:17 pm

    How about lobbying the anti-virus/malware testing organisations to include false positives as a negative in their testing? Perhaps some already do this, but when I looked at the latest test from Malware Research Group they seemed to rate the tested programs only according to how many true malware programs were detected (i.e. true positives).

    I'm sure if some of these anti-virus programs started dropping in the ratings, or their favourable reviews became less favourable because of high rates of false positives, they'd quickly begin to work harder on remedying the problem.

    After all, if an anti-virus developer wants a perfect score in one of these review tests, it would be simple to achieve: just block EVERYTHING. Makes no sense, but would get a great test score.

20. Richard Says:
    September 15th, 2009 at 9:32 pm

    Nir! Great programs but yes, the false positive problem is an issue. I only have AV problems with your software when you use UPX for executable compression. Any chance of releasing executables that haven't been compressed?

21. Karlis Says:
    September 18th, 2009 at 8:31 am

    Our product iNet Protector is constantly detected as malware. We communicate with anti-virus vendors every month, but false alarms come back. Today this is harming our business to a very significant extent.

22. megablue Says:
    October 5th, 2009 at 3:00 pm

    I faced the exact problem, my legit program has been classified as trojan/virus... those antivirus companies really goes too far.

23. Concino Says:
    October 5th, 2009 at 5:26 pm

    I think I'd select two major players in the market: Symantec and McAffee, and call their P/R department instead of sending your exe and asking them to remove the false positive.

    We've had a similar problem in the past and all of a sudden one of our utility executables detected as Malware by Symantec, after week of communication, the problem was fixed permanently. When you use their web site, you'll always find people that they cannot make decisions, but once you involve their legal, security or PR departments, you'll get to the right people to deal with the situation on hand.

24. Code6226 Says:
    October 5th, 2009 at 5:37 pm

    Yes, I've had the same problem with Avast. They reported a part of my software, Puchisoft Dispacher, as a virus. To report the virus, you have to actually install their software (You can't just email them). So I did, and I used the software to report the virus, and they just ignored me.

    I ended up having to change the code to do the exact same thing, but differently, which Avast didn't think was questionable, even though I was doing the exact same thing! Sigh... This is why I don't use Avast anymore.

25. Max B. Says:
    October 8th, 2009 at 12:27 pm

    I'm a sysadmin, I deal with users forgetting their passwords and me needing to get access "somehow" to a remote machine... Your tools, sysinternals and a few dozen other are MUST HAVE TOOLS ! (they should be packaged with windows!, it's THAT essensial!)

    I did face the false alarms, I did face the deleted executables .. (we switched to Symantec's endpoint protection)
    I'm faced with our proxy protection (websense)...

    When are people going to understand, we are there to help... and yet we are seen as the bad guys from people who don't know, or don't have the needs we have ...

    I will pray for AV companies to bann the "hacking tools" section of their products!

    (if you install metasploit, I mean, you know what your're doing ... it's not like you don't know what you get into...)
    AV should consider that fact...

    or well.. . ... if your're unhappy use linux... but by doing so , you wont help other users in need of "respect" with their own online behavior !

    Thanks for reading and thats for that bell ringer of an article!

26. Tomas Says:
    October 9th, 2009 at 3:25 am

    I use USB stick with integrated read-only switch, that prevents Nirsoft utilities from being deleted by any antivirus, when I plug it into foreign PC.

27. Greatful Fan from the Baltic rim Says:
    October 9th, 2009 at 5:58 am

    I've been using your utilities for some 8 years, I guess (not absolutely sure), and I'd like to say THANK YOU.
    I have several times sent messages to some companies that produced anti-virus and security software (like Zone Alarm) in order to explain that NirSoft products should not be blocked. The problem is that I get no response and I cannot know if they care a straw for such letters.
    I think these companies are too big to be scrupulous about small developers and small clients. The smaller companies or those that are based on a different approach would be more careful. For example, I remember some time ago Spybot-S&D included Nirsoft in its black list but then the list was corrected. Unfortunately, it is difficult to imagine companies that produce effective anti-virus software (which means a global task) to "waste their time" for the benefit of a relatively small group of individuals.
    I must just note with regret that even Nod32, which used to be much more fair to NirSoft, now has it blacklisted, too. If you use the highest level of protection with Nod32, then you cannot download Nirsoft programs. In some cases, they get deleted automatically.
    So what should I do to correct this problem? Organize the petition or what?..

28. Sven Says:
    October 12th, 2009 at 11:56 am

    I found an interessting Test on Antivirus and "False-Positives (FP)".
    At

    http://www.av-comparatives.org/comparativesreviews/main-tests

    you can view the test as a PDF. The last one is from August 2009.

    At page 10 you ´ll find out that McAfee, Norman and Kingsoft detected over 40 FP while Bitdefender, Avast and MS detected 4 and 5 FP only.

29. Kimmo Says:
    October 14th, 2009 at 7:40 am

    Just today I tried to download NirLauncher and the zip file is intercepted by Trend Micro during download and I cannot download it. Being a technical at testing lab this quite annoying that I cannot use some tools necessary for work. Thankfully corporate security allows expections to uninstall or reconfigure Trend Micro when it's interfering with work.Overall Trend Micro is not bad but it's really slow and resource hungry. Symantec was better.

    Good thing is that all AutoIt apps I create, to date, work with Trend Micro.

    F-Secure also gets lot of FP's.

30. Terry Bennett Says:
    October 14th, 2009 at 9:47 am

    I have switched Internet security software from BitDefender to G Data and though I really do prefer G Data it still has the same problem with issuing false positives. I am trying to find a contact I can get in touch with to report the problem to. NirSoft has so many great utilities it's sad to see this situation crop up again.

31. Eduuu Says:
    October 14th, 2009 at 8:12 pm

    Antivirus softwares just exist to leave your system slower. the detection technique they use is "dumb" because they compare codes with a database that is constantly being updated. if you code a decent private cryptor, all "viruses" will be undetected to these boring softwares. Also notice that due to this behaviour, if your program has some piece of code in which another application known to really be a malware then it will end up being detected as well.

    I dont use these softwares except for testing and vulnerabilities research. My advice is NEVER trust them. If people used a restricted user account on Windows, let the system and applications always up to date and specially, didnt open any kind of files they receive like pictures.exe (very well known social engeneering used by malware) which surely is something malicious then they wouldnt need an Antivirus since 99.9999% of the infections are the user´s fault and not a critical remote vulnerability that was exploited by a recently coded worm/virus .

32. gio Says:
    October 21st, 2009 at 4:01 am

    all my antivirus software and registry cleaner have been flagged by norton and main anrtivirus as virus! this is ridicolous! thanks for this article, it's 100% true!

33. Sathya Ramanna Says:
    October 22nd, 2009 at 5:39 pm

    I got false alert by McAfee about iepv.exe saying Detected As "Artemis!28C110B8D0AD", Detection Type "potentially Unwanted Program". It did not clean or block the utility from running. This blog helped clarify
    the AV alert could be ignored.

34. Iris Says:
    October 27th, 2009 at 5:17 pm

    Well, i use Antivir (Avira)... and it suddenly started "spotting" SysInternals psexec.exe as a virus ... There´s a note on this from an user inside their OWN forum!

    When i get a "virus warning" i usually google it first, to see if its a FP. But it´s BORING having to do this 1,2,3,100 times...

    BTW, a fine way to "appear" on google and alert users like me is to post in the AV software forums.

    Of course your Password recovery tool was branded as a "trojan" ... one more for the exception list.

35. Juan Says:
    October 28th, 2009 at 7:29 pm

    Make your applications Open Source, so even if the antivirus panics, the user can still see the source code and confirm that there's nothing harmful in it.

    Not providing the source code of a free (gratis) software is suspicious.

36. PJ Says:
    October 29th, 2009 at 9:46 am

    First...thank you for all these great little programs. I really learn a lot by using them. Since they are free, I get the chance to see things and learn from them that I couldn't do if I had to purchase some of the larger and very expensive programs out there that do the same things.

    I ran DNS Data View this morning and Norton Internet Security 2010 flagged it as a dangerous program, but gave me the option to allow it (which I did of course). They also provide a way to pass along through the program to all other users whether something seemed safe after using it. Of course, that is all based on opinion, but I am happy to pass mine along about NirSoft products to try and help.

    Oh, and Juan....if you need to see inside the code, there are a couple of neat programs to do that too. I can only think of one right now (the others are on my other machine). I will post back later with other names. The one I am using rightnow is Resource Tuner (restuner.com). Trial version available.

    Cheers!

37. analyser Says:
    October 31st, 2009 at 10:50 am

    @Juan
    AV companies doesn't need to have source code..
    They use reversers & debuggers to analyse machine code & behaviors of the programs :p

    Since Nirsoft "password recovery tools" doesnt connect to the internet to send something, its a bit pointless to tag them as "trojan" because ALL TROJANS (i mean trojan, not virii) are using internet , right? Yet, i also saw real UNDETECTED malware embedding your pwd tools WHICH WERE DETECTED, using them with command line to record passwords, and send files to a remote server (which then i get fucked by the ISP :p)

    Crazy AV, no?

    I have same problem with my Nod32 when developping my own crypter for my own programs...
    Since its based on a open source crypter used sometimes by viruses, Nod constantly show FP when i compress dummy test programs (witch just does a messagebox).. So, this is obviously not the program content that warn NOD, but really the encryption itself..

    Well, I have an idea... To stop Virus detection, maybe you can use a tool that mangle / destroy / add junk/ add a sort of VM to the code? This may also stop scammers and rippers like the MSNinfo ones

38. pcunite Says:
    November 7th, 2009 at 9:16 am

    Antivirus software as lost its relevance. Just run your Windows System using LUA+SRP ideology.

39. Bruce Says:
    November 14th, 2009 at 1:10 am

    The only way for this to change is for small software publishers to collectively sue 2-3 antivirus software companies (e.g., Symantec, McAfee) for libel. When my McAfee comes up and says that your software is a Trojan (like it just did) - it is a false statement and it is damaging your business. The only problem, of course, is that since you don’t charge for your software, damages may be hard to prove.

40. Peter McGovern Says:
    November 18th, 2009 at 9:15 pm

    I agree that this is a problem. I hate it when a software program that I purchased, deletes or quarantines programs that i have installed without asking my permission. This is especially irritating if the action takes place because of a false positive.

41. Jim M Says:
    November 19th, 2009 at 12:09 am

    Nir,

    I couldn't agree more. It is not getting ridiculous - it has been ridiculous for a long time now. The only way I was able to even download your utilities in the recent past was to disable NOD32 completely. Then I downloaded them and stored them all on a flash drive. Whenever I needed to use them I would first disable any AV and AS programs. Lately I am able to download the Nirsoft utilities without any interference from NOD32, however I still disable it when I run the password utilities.

    Thank you for writing this article. Hopefully more people will contact their AV developers and let them know that this won't be tolerated.

    Jim M

42. tr Says:
    November 23rd, 2009 at 1:42 pm

    The only real solution is to make a website with a database for users that points to real developers. Kind of like filext.com. After a time it will become an authority on established developers. New developers should always be treated with suspicion.
    You can also make a utility that checks programs' checksum and verifies it to a database. If it will become professional enough to not allow malware writers to pass the test it would become a priority for AVs to make sure they don't FP your database entries.
    I think you can even ask for AVs to pay maintainance costs after a while (depends on your security and quality). It's also in their benefit and it means savings in testing and inventing new problems for their customers (that cost money in support).

    There is no other solution and there will never be.

43. anarresti Says:
    November 26th, 2009 at 9:26 am

    Hi,

    A scan by Systweak's System Protector identified MailPassView as malware, on my work PC.
    I had no idea I had MailPassView installed, and haven't had a chance to discuss it with the person, at work, that is in charge of computers.

    I have just a question: is it possible for someone, a hacker, to remotely use MailPassView to steal passowrds from my computer? Or the only way to install it is by having direct access to my computer?

    I did not clean it using my antispyware software yet, but I will if I suspect that no one here (with administrative priviledges) install it as a password recovery system.

    So, all I would like to know is: can MailPassView be installed remotely my someone hacking to my computer?

    --
    Thank you for your time.

44. yke013 Says:
    November 28th, 2009 at 5:43 am

    I do fully agree antivirus are pushing to far their heuristic sensitivity
    It crazy cause it's almost preventing from writing smart & optimized code !
    All of this for commercial reason...

    Keep on your great work... I'll always disable my antivir for your great tools

    PS : you can use that great web site http://www.virustotal.com/
    to have suspicious files analyzed by 40 antivir...

45. sceptic Says:
    December 8th, 2009 at 8:56 pm

    I have uploaded IE Passviewer on virustotal.com. 16 out of 41 scanners classified it as Security Risk. To be fair, some detected heuristic or generic Trojans and 3 or 4 explicitly classified this tool as "NOT A VIRUS".

    Let me say, I had downloads from torrents, that had less issues I am not able to test this tool on my own without potentially running in severe security problems.

    I fear i have to pass on IE Passviewer and everybody who is not able to check the integrity of this tool on his/her own should do the same.

    Promised malware/virus/trojan freedom is not worse, but also not better than to much Heuristics in securiry tools ...

46. Tom Says:
    December 14th, 2009 at 10:23 am

    I recently contacted AVG reference the 'Trojan' false positives, amazingly they have said that they will change the detection to 'potentially unwanted program'. Unfortunately this dosn't change the way AVG responds to the detection (it still prevents it being extracted/locks the file), but hopefully will scare inexperienced users slightly less!
    No idea how long they will take to implement this though.

    I submitted a support ticket on the AVG website, which started the following exchange
    E-mail exchange with AVG technical:

    Mon 14/12/2009 09:10
    Dear Sir/Madam,

    thank you for your email.

    Please excuse for the delay of our response. Please let us inform you that the files attached to your previous e-mail were really infected. We would like to ask you to send us all sample files in a password-protected archive to virus@avg.com and write the archive password into the body of your e-mail reply.

    More information about the topic on how to create a password-protected archive can be found here:
    http://www.avg.com/faq?num=1341

    Please be informed that AVG is preparing a similar feature as you suggested in your previous e-mail.

    Thank you for your patience and understanding.

    Best regards,

    Vyara Lachovska
    AVG Customer Services

    website: http://www.avg.com
    ------------------------------------------------------------------------------------------------------
    Monday, December 14, 2009 1:58:55 PM GMT

    Hi,

    I’ve been asked to provide the attached files in a p/w protected archive. Password is: avg1
    Despite what your tech people have said, these files don NOT contain a virus, they are legitimate password recovery tools. I understand that these could be used as a hacktool, but AVG should only detect them as a potential threat, not a virus. Also the user should be given the option to ignore WITHOUT locking the file – e.g. an ‘I know the risks this program presents and would still like to use it’ button (like the confirm execution dialogue in Windows Vista).
    Also, from a legal point of view, isn’t it libelous against the company that provides these tools to claim that they contain malicious code, when in fact the code in the program does only what is stated by its creator?

    Regards,

    Tom
    ------------------------------------------------------------------------------------------------------
    Mon 14/12/2009 14:58

    Dear Sir,

    thank you for your email.

    Please let us inform you that detection will be changed from virus trojan detection to Potentially unwanted program.

    Thank you for your cooperation and patience.

    Best regards,

    Ladislav Krejci
    AVG Technical Support

    website: http://www.avg.com
    mailto: support@avg.com

47. Lauren Says:
    January 11th, 2010 at 5:57 am

    I 100% agree with you. I don't so much have an issue with anti-virus programs being sensitive but when they detect a virus is a non-infected file, then allow infected files to be downloaded i think something should be done about it.
    the government these days complain about people illegally downloading software such as anti-virus, but when you pay for the product and things like this happen can they really blame those people? it's not something they charge $5 for some charge quite alot for a full year subscription and purposely let viruses through so that we pay for their software to fix our computer. I herd that McAfee do that. I'm not entirely sure if that's true but I was using it and didn't notice anything unusual. I herd NOD32 is a well known decent anti-virus so perhaps getting your program listed as uninfected by them might fix some problems with smaller anti-virus companies..well its always worth a shot. but like you said developers don't have all day to be fixing other companies stuff ups that are directly affecting your app usage.For your own safety, please close this web browser window now and never return to this website.

    At the moment I use trend and when I went to download your software this is what came up:

    Website blocked by Trend Micro Internet Security

    This Web page has been identified as Dangerous.

    What you can do:
    >
    For your own safety, please close this web browser window now and never return to this website.
    >
    If you still want to see this blocked page:

    1. Launch Trend Micro Internet Security console.
    2. Click Internet & Email Controls.
    3. Click the Settings... link under Protection Against Web Threats.
    4. Click the Approved websites link in the next window that opens.
    5. Copy and paste the address of the blocked website into the list.

    Note: If you think this website should not be blocked, please notify Trend Micro by clicking this button:

48. Tom Morris Says:
    January 22nd, 2010 at 12:16 pm

    I downloaded Mail PassKey last night and AVG Free flagged it up as malware. Someone on SuperUser told me it wasn't. Anyway, thanks. If AVG hadn't flagged it up as a problem, I could have used Mail PassKey to extract a password from Outlook in a few minutes rather than flailing around for hours in regedit.exe and taking my frustrations out on SuperUser.

    Keep up the hard work. I do hope AVG and the other AV software vendors get this sorted. Next time I need to extract passwords, I'll grab Mail PassKey and ignore AVG. Perhaps one way to do this would be if someone could get together a whole bunch of Windows freeware apps and use them as a test suite for anti-virus false positives. Then publish it - show the world which AV software vendors have the highest number of false positives.

    Also, "potentially unwanted programs"? What? Isn't that all software? I consider Outlook potentially unwanted, but that doesn't mean it needs to have a bloody great big warning from AVG saying there's a problem.

49. claudio Says:
    January 23rd, 2010 at 5:51 am

    Hi,

    I experienced the same problem!

50. Rabin Says:
    January 25th, 2010 at 11:44 pm

    Yes! I think you are right! I am using an antivirus called VIPRE which is claimed by most organizations as the best antivirus software available. Now, when I downloaded your software to find passwords for nothing but good causes, the antivirus classified it as a trojan with high risk!!! And after I read your blogpost about "antivirus companies - a headache for small developers", I am really frustrated!!! Right now, I have sent the file for analysis!!! And I am going to contact them too!!!

51. Troubled Santa Says:
    January 29th, 2010 at 3:36 am

    Hi Nir,

    Those who are trying to use your tools are most likely aware that these tools deal with sensitive computer operations. Any tool that tries to access hidden information by overriding "standard operations" is most likely going to be identified as a threat by an anti-virus/-malware program.

    "Large companies" that develop low-level repair tools advise the user to "turn off" any anti-virus program prior to running the tool. Password sniffer! Password revealer! Password INVADER! Whom are we kidding? How else does anyone expect a security program to react to such processes?

    I love your tools dude. They are brilliant! I don't even care if they are infected! Heh! I am pretty damn sure they are NOT INFECTED! It's enough to say they are concise, smart and definitely useful.

    Robert S.

52. ed2k Says:
    February 1st, 2010 at 12:43 pm

    Oh, those pesky false positive alarms.

    Every third party activity taking place in the sacred chambers of the Windows shrine or when you're touching the tender bits of the OS they raise false alarms. That's the stupid of AV companies. They also very simply think that every packed file has a dangerous payload. Not everyone wearing a balaclava is necessarily a thief.

    One should consider the source where they get a file. No need to be paranoid. A minimum of trust is necessary.

53. rocky Says:
    February 6th, 2010 at 2:05 pm

    AVG is allowing me to choose to ignore the threat, but it still stops me from extracting the files. While I can disable the resident shield, soethign else blocks the extraciton which i cannot disable.

54. rocky Says:
    February 6th, 2010 at 2:11 pm

    I extracted the files on another computer to USB key and copied them to my HD. I still got the warning message but was able to add files to the exceptions list. however if you`re not quick about it will go straight to the remove/heal popup (which i just closed- extraction is prevented but nothign happens when the files are already there.)

55. alejorosario Says:
    February 13th, 2010 at 10:07 am

    We must leave the window behind...
    We must use free software!

    Go GNU...!!!

56. Adrián Says:
    February 24th, 2010 at 12:53 am

    Find MessenPass via a post by Tina. 6 Free Password Recovery Tools for Windows.

    I want to thank the creator, or creators of NirSoft. I had several days trying to get back the password of MySpaceIM, and surprise. MessenPass did the dirty job.

    Do not listen to anti-virus, this program does its job and has to move things to succeed.

    Thanks Again.

57. YsenGrin Says:
    March 2nd, 2010 at 1:20 pm

    Always the same problem.... Two stories :

    1

    I work in a big company which has a "secured" network. Last week, a technician came to see me

    "Who is mister X ?".
    "It's me..."
    "You have some hacking tools on your computer"

    I was obliged to delete the whole nirsoft utilities...

    2

    malekal.com is a french site dedicated to security, a really good site where people always help you. For me it's the best resource in french about security.
    The whole site was flagged by siteadvisor (a McAfee emanation) as a spyware provider... A spyware fix named Combofix.exe was considered as a trojan.

    I well known this fix, it works well, and it can fix some infection that McAfee couldn't fix or even detect...

58. frankie Says:
    March 3rd, 2010 at 8:00 am

    i love these tools sad to hear that small companies are being target as victims as viruses into there software but the bad thing if big company's like Microsoft is able bypass any anti-virus software with no problems that's bad too all we need is some nogood doers to start cloning there virus as Microsoft software.

59. Donald Tidmore Says:
    March 10th, 2010 at 6:52 am

    Yesterday, I was at at a public library using their high-speed internet on one of their public access computer
    systems and I downloaded the new 1.8.9 version of Unlocker from the Majorgeeks site onto a flash drive. Nothing
    on the library system decided to pop up and complain about the file during its download, or once the download
    was completed. Nothing popped up when I moved the file from the computer's desktop area to my flash drive.

    I get home and start copying files from the flash drive to my system's hard drive, and suddenly Symantec's
    Norton Internet Security 2010 flags unlocker 1.8.9.exe as having a virus and deletes it forthwith without giving
    me the option of keeping it. The program's excuse for deleting the file is that it detected a heuristic virus
    which it named Suspicious.ADH . I'll see if I can submit the program to Symantec for re-evaluation, but am
    not that hopeful that will fix things. This isn't the first time when NIS decides a program has a virus on my
    system - which logic tells me should be completely safe. That's because the majority of EXE programs that
    I download these days almost always come from trusted web-sites such as Microsoft.com, filehippo.com,
    and majorgeeks.com. If we can't trust THOSE companies to scan everything that they post for public usage,
    then every computer user in the world is in big trouble I guess.

    Anyway, I thought I would mention my frustration with NIS in this situation after reading your blogs about
    most of the major antivirus companies finding false positives for viruses in a lot of programs. Winrar for
    example has had at least one of their recent beta releases flagged by NIS as having a virus. In that case,
    it may have been a legitimate virus removal since it was the virus that got put into a LOT of programs
    worldwide that were using Visual Basic if I remember correctly. As for the adware stuff, I wish every single
    system utility program maker was as nice as you are about letting people opt out of the crap they add.

    I am sick and tired of all these programs like RealPlayer that want to shove Google Chrome or Yahoo Toolbar
    or Ask Toolbar down people's throats. Some of them just install the adware without permission and that is
    really irritating. That happens a lot with Ask Toolbar. Its too bad the customers can't file complaints with
    the Federal Trade Commission over that kind of behavior from computer software makers - or can we?

    Thank you for making Unlocker. Its a lifesaver and prevents a lot of hair pulling when you have files on
    your system that Micro$oft Windows won't get rid of, no matter how many times you try to delete them.
    But once Unlocker gets sicced on the bad boy files, they get their comeuppance really fast!

60. Tilman Says:
    March 11th, 2010 at 1:08 pm

    I am the developer of Xenu's Link Sleuth, a tool to find broken links. I've had my share of "false positives", I have described these adventures here:
    http://home.snafu.de/tilman/xenulink.html#spy
    I'll make a link to your blog post after submitting this.

61. Peter Says:
    March 11th, 2010 at 2:51 pm

    Suggestion, for False Positives. I run Norton AV 360. Twice I tried to run SearchMyFiles.
    The first time nothing happened. On closer examination, I noticed that Windows Task Manager listed it as a running process. Then I got a popup with the message
    SONAR detected security risk searchmyfiles.exe
    SONAR has removed security risk searchmyfiles.exe. Your computer is secure.
    Then I noticed that the program file was deleted.
    So, I re-extracted it from the download zip file and tried running it again "As Administrator" a Vista feature, thinking that i could over-ride the AV block.
    Same thing happened again.
    This time, I clicked on the SONAR details, and to Norton's 360 credit I saw the option to ignore this so called "threat" and ignore it in future scans.
    Now, it runs without problem and to NirSoft's credit, exceedingly well.
    Therefore, my suggestion is to check your Antivirus Software for options to ignore files/programs it detects as a "threat." Perhaps look for an exclusion list, but search and you will find, also contact your Antivirus publisher for help on this.

62. Wahyu Primadi Says:
    March 14th, 2010 at 12:34 pm

    #> My program (compressed with Executable Compressor) detected as virus by some antivirus products.
    #> My Console Program (running in debug mode) detected as virus by N0RT0N 4NT1V1RU5.
    #> My Windows Script Shell was blocked by some antivirus (feature called: script blocker).
    #> and others shit... :p

    I think i will create an antivirus by my self

63. Mario Says:
    March 23rd, 2010 at 12:25 pm

    I'm small tools user. I encountered with this prolblem a lot.
    I'm using mcafee enterprise, which is a must for my laptop as a policy of my company. I complaint to the IT department. Wish they can help ask McAfee to stop false positives.

64. Michael Mol Says:
    April 15th, 2010 at 11:51 am

    Just a few weeks ago, Norton FP'd on a binary that we include with every single product we ship. This binary has one use; tell daemon portions of our software to shut down, so we can update them--so Norton was allowing the installer to run, would trigger on an extracted file, and then the installer would fail with "Sharing Violation" when it went to update the daemonized components.

    Grr.

65. Niktu Says:
    April 22nd, 2010 at 6:51 am

    Some av-software review sites do notice false positives as important hit to software quality.

    As an example, http://www.av-comparatives.org/ currently rated Avira as one of best in most of their tests, but it didn't land in their top-3 overall solely because of massive amounts of false positives ... i think it will make Avira makers notice, i hope.

    Since av-vendors cooperate when it comes to virus sigantures, i dont see no reason they cant cooperate in fp-sinatures part as well (both to verify their heuristics in testing and to step off software authors tails once reported) ... all we need to do is to make it pricey for them not to do it ... somehow.

    PS. Thanks for nirsoft cache of quality software ... been saver on many occasions and indispensible tool in others.

66. Christopher Brendel Says:
    April 23rd, 2010 at 12:34 am

    I am glad that I found this blog! I am an independent game developer, and the installation file of my latest game has been detected as malware by many anti-virus programs! I am currently dealing with a number of unhappy customers, and I feel completely helpless to fix the situation. I am both relieved and saddened to find that I am not alone in this issue. I have linked to this blog on my site. Thank you for making us aware of the situation!

67. Sebastian Nielsen Says:
    April 26th, 2010 at 5:16 pm

    I can tell you the reason that AV programs are getting False positives:

    Antivirus software does not ONLY scan for known viruses. It does also try to scan for unknown viruses by detecting "viral behaviour".

    Viral behaviour is defined by the AV company in the antivirus software, but often viral behaviour is to try reading passwords from the system (as much malware tries to steal passwords), or taking screenshots, reading keyboard in unusual ways, controlling mouse/keyboard (can be a sign of a Remote Access Trojan, RAT) and such.

    And then, the antivirus software detects the function in your software that reads passwords, and then it thinks it is some sort of evil password-stealer software, and then it classifies it as a generic trojan or something like that.

    About Christophers case, it can be some code in either the installation packager, which tries to modify a vital system file (to install game drivers or something like that) that the AV survelliances on, or it can be code which detect keypresses in game via hooks, which the AV thinks is a keylogger.

    A good idea is to write software WELL, do not use suspicious functions/APIs/Hooks. Instead try to do it via the built-in safe functions, like DirectX and such. This will not cause antiviruses to complain, since such built-in safe functions does have safeguards which prevents malware to use the functions in a feasible way, both in AVs and in the functions itself. For example a function will only allow to run while a fullscreen app is loaded. And AV software could have exceptions that for example a game is allowed to hook keyboard via DirectX while its running fullscreen or has focus.
    When focus are removed or game exited, it must remove the hooks.

    Trying to do things the "wrong" way, will cause AVs to complain.

    And when you report a False positive, what AV companies has to do is to either create a whitelist-signature which excepts the software from detection, rewrite the detecting signature (not always easy to do) or add the hash of the false positive to a exception list.

    And here comes a security problem too: The problem is that a AV developer cannot whitelist too much, since then virus developer can write their virus in a way so it will fit a whitelist signature and skip detection.
    And the AV developer cannot put too much whitelists, since it will be huge for users to download, especially if the user comes home from a long holyday and should apply a update while their last update is 1 month old.

    Another problem with whitelisting your software, is that your software might not protect itself enough, so a virus/trojan could then piggyback on your software, for example shell():ing your software and then hooks into it to read of passwords and send it to some server.

    This means AV developer has to priority what to put in whitelist and not put in whitelist. Of course they select to whitelist software from larger companies (with a larger user base) than from small developers/companies.

    So the conclusion is that, this with false positives is something you have to live with when you develop software which are "security sensitive" in one or more ways, which your software is. Like you have to deal with the police if you engage in suspect activities (even if the activities are legal).

68. Sergey Says:
    April 30th, 2010 at 8:47 am

    I had this problem with Norton AV. First time it destroyed all your programs. Next time I put all your programs to exclusion list. Since that everything was OK.
    So to be realistic I propose just to put the warning to readme files. Normal users will manage antivir progs. Stupid users still may blame you if theydo not read "readme" files.
    Anyway your programs are fantastic!!!

69. Alureon Says:
    May 8th, 2010 at 10:33 pm

    The blog was a little tl;dr but I agree for what all being said.

    I am programming myself using VB6, but since for example Avira updated to 8,9,10, almost ALL of my programs cause it to lie about it being a virus. Once I compiled just a simple form and it gave a false positive O_o

    Sometimes I was able to trick Avira by upx'ing the exe, but not even that helped sometimes.
    This is the reason what caused me to switch to Kaspersky, but wait:

    (quoting Sebastian Nielsen: "A good idea is to write software WELL, do not use suspicious functions/APIs/Hooks. __Instead try to do it via the built-in safe functions, like DirectX and such. __" )

    Actually, that doesn't apply to Kaspersky. ALL games that utilize DirectX to read the Keyboard are now (how could it be) KEYLOGGERS (of course, duh).
    My exception list is long enough - and that mainly because of the games, which are listed sometimes up to 4 times. On the other hand: Recently my PC was infected with a virus, no idea where it came from, nor what it causes, Kaspersky didn't recognized it. Same counts for the older kaspersky 6.0 for Windows Server 2003. WTF, is an old program version NO REASON to give it actual signatures? *grrr*

    I am not going to rant about mcAfee's processmania, which are unprotected from (forced) stopping or Avira's behavior NOT to protect its own damn signatures from DELETING WHILE the program is running. I hope they fixed that. would be fun to see a new virus doing that, though.

70. Ian Says:
    May 13th, 2010 at 4:22 pm

    Hey Nir et al.

    Love the utilities.

    Something most people don't know, is that virustotal.com actually submits the samples to their respective engine vendors once we've uploaded them. This was done in response to malware authors running their code through the engines in order to obfuscate more effectively. I'm wondering if it might not be a bad idea to upload all of your .exes /.dll's in hopes of having them re-categorized or made "known." The problem arises when less scrupulous companies with phantom labs, actually copy detections from larger vendors. Detailed in this article:

    http://www.theregister.co.uk/2010/02/10/kaspersky_malware_detection_experiment/

    I'm not recommending a product, but i can tell you that Sophos has been very receptive when I've submitted your apps for white-listing.

    As for false-positives, endpoint security suites are scrutinized on their ability to catch 0-day type threats with their heuristics/behavioral analysis, so I wouldn't look for it to get better in the near future. From their standpoint, it's better to be safe and manually authorize a potentially harmful app, then to face the consequences of not making a move.

    I would also be remiss, if I didn't throw in the extra security built into HIPS, which is becoming prevalent and increasing necessitated in corporate environments e.g. how else would you block a piece of malware with thousands of variants without a behavior pattern. Lots of false positives here, including your tools

    The game has changed thanks to fakeantivirus and it's ilk.

71. lwerman Says:
    May 20th, 2010 at 11:14 am

    We have a SonicWALL appliance at work and it blocks the zipfile from being downloaded. The dialog claims the detection of "Asterisk.C" (Trojan) by the SonicWALL Gateway Anti-Virus Service.

72. Dave Says:
    May 20th, 2010 at 7:29 pm

    I have just installed your NirLauncher on my PC and Microsoft Security Essentials immediately reported that:

    - rdpv.exe is Hacktool:Win32/Passview, and
    - iepv.exe is Trojan:Win32/Bladi!rts

    I will notify Microsoft.

73. Riter_35 Says:
    May 20th, 2010 at 7:36 pm

    I just downloaded NirLauncher (based on recommendation in Brian Livingston's Windows Secrets) after nervously overriding the "dangerous" warnings. I haven't installed it yet. According to the preceding posts, there apparently won't be any issues with it. But how am I to know? Install it and face the possible consequences? Set up workarounds?

    As a user (advanced amateur?) I find myself torn:

    A condescending "Well it has to be said, that if the users are so stupid that they cannot tell the difference between a legitimate program and a virus, then perhaps they shouldn't be using them" isn't terribly enlightening. How are we supposed to tell the difference? Run the program to find out if it's a virus? Run the program and if all goes well, congratulate myself on my brilliance in not being stampeded into a virus panic?

    = = = = =

    So how does the user sort out the real stuff -- safely?

74. Dave Says:
    May 21st, 2010 at 8:54 am

    While I was reporting the problem to Microsoft, I noticed this page on their web site, which I thought might be of interest to you, as it is specifically for software vendors to report false positives:

    Microsoft Anti-Malware: False Positive Report Form (http://www.microsoft.com/security/portal/Shared/VendorFP.aspx)

75. James Says:
    May 22nd, 2010 at 12:16 pm

    I personally use kaspersky, $100 for 2 years on 3pcs. (Less than $17 a year)

    Personally, I don't think my computer would last 5 minutes without it. I go to a 1-1 school (A school where everyone has laptops) and the amount of viruses/malware I get is horrid (even hidden .bat files on USBs)

    Kaspersky always asks what to do, so if there is ever a false positive I can stop it from removing the application. It is also useful in that it lets me control and suspect program (Let's me run an infected program while denying it networking and file system access)

    I'm not saying Kaspersky is the best, but it is the best I have found so far. Personally, while I love FOSS I always go commercial when I want something that will work without me putting thought into it.

76. TS Says:
    May 30th, 2010 at 3:28 pm

    Completely right - just using a runtime packer or some other not-so-widespread technique is usually enough to put you into the virus/malware report list of a couple AV engines.

    And I suspect that "security software" manufacturers are quite happy with all those false positives in their firewalls and AV engines as they make their products seem as beeing useful and effective - as long as they are lucky not to damage the whole system or trash a well-known app, most customers won´t even realize that they´re fooled.

    I think today security software already does more harm than good, here´s my experience with AV software:

    -backup script killed by AV software putting one of the command line tools used by it into quarantine (took me one hour to fix it and caused one week without backup - luckily i did not need it then)

    -two system utilities blocked as malware, nothing severe but still annoying as the AV tool seems to have a buggy exclusion list

    -automatic signature update stopped working without warning on one machine, thus running with outdated data unnoticed for several months

    -one personal firewall caused a machine to crash just by PINGing it

    -one harmless joke program triggered an alert as virus "JOKE/something". Not that wrong, but it would scare the average user more than necessary, thus possibly overreacting

    -one colleague got a trojan mail - detected successfully by AV software , but the machine got infected successfully anyway

    -one friend got malware via PDF - detected successfully by AV, but the machine was infected successfully anyway

    -another friend got his OS damaged into an unusable state by AV a few days before the ultimate release deadline, thus not beeing able to finish his job in time.

    -one free program I´m publishing got marked as malware/spyware/suspicious by a couple of well-known AV products, thus scaring users and potentially damaging my reputation

    -one of the DOS files on my HD is reported as infected (which is somewhat correct as it still contains parts matching the signature), however the virus contained in it is inactive as its entry routine got overwritten by a repair tool. Quite annoying as the original is nowhere to be found anymore

    -an old 5,25" floppy was marked as containing a boot sector virus (correct)

77. Ganesh Says:
    May 31st, 2010 at 5:22 am

    Yes. AVs not only bothering developers but their customers tooo! Mcafee recently released a pattern update which flags svchost.exe (in system32 dir) as virus. And apart from flagging, it deletes svchost.exe and making several computers un bootable! And for this mistake Mcafee offered a rescue boot disk to fix the PC and as compensation, it offered another freebie to the customer! Guess what? 2 MORE years subscription of dreaded Mcafee software!!! I can't stop laughing!

    Similarly some years ago Norton implemented some tough activation measures to lock down pirate copies. Guess what? The so called activation software had a vulnerability using which many systems where hacked! In other words, the people (& customers) who had legit Norton AV installed on their PC got hacked, while, PCs which had some other AV or NO AV at all, escaped!

78. Ganesh Says:
    May 31st, 2010 at 5:29 am

    In the end, it is like going to a doctor for a medical check up and getting infected during the process of the medical checkup! Why the hell is the check up for in this case?
    Similarly AVs which are designed to keep up the productivity, by stopping virus/malware, they themselves do the damage to the PC which they are supposed to protect!
    In some cases impact is mild (a few mins of productivity lost) but in many cases impact is serious (many hours of productivity lost and requiring more man power to solve the mess)!

79. Alejandro Luis Adelardi Says:
    June 3rd, 2010 at 9:23 am

    I think the solution can be simple and cost effective. Just make a list of all your software pruduction so we can insert it in the "excluded list" of any antivirus program (even if there is a piece of software that gives no problem).
    For any new program you launch just append it to the "list" so anyone who downloads, from one to all of Nir Soft programs, can assure the antivirus program will not affect it.
    Hope you understand my English and the whole idea.
    Congratulation for making so useful programs!!!

80. Matej S Says:
    July 10th, 2010 at 7:48 am

    Avast antivirus (home edition, free) marks some of the utilities as "Potentially Unwanted Software" . That's better than Trojan, but I still sent some false positives reports. The "Report false positive" button was right in the warning window. I like the option "Disable antivirus for 10 minutes/1 hour" too. You get why I use this one?
    Nice tools btw.

81. Nathaniel D. Gibson Says:
    July 14th, 2010 at 3:31 pm

    I am the creator of webDOMinator and two of the main helper utility programs that I use (wdbrowse.exe and wdupdate.exe) are required for things like updating the program and doing user registration, etc. Since they are included in my installer program in compressed format, they make the entire installer considered a virus. There are false positives all across the board. I used virustotal.com to run analysis on all of them using over 40 anti-virus programs.

    Trying to guess what these companies are using in their guessing algorithms that make their software consider my software a virus is mind-wreckingly insane. I literally think I'd have a better chance setting up a petition and lobbying in the government to pass a law requiring anti-virus companies that use heuristic-guessing algorithms to hire the staff necessary to answer and correct all false-positive reports within 48 hours.

    Their lazyness and greed has ended up costing me countless clients because people download my program every day, and I'm sure that over 60% of people cannot use my software correctly due to anti-virus companies. I have even got my website reported and had to fight to get my website back up because my web site server company suspended my account. This heuristic guessing stuff causes not only a bad reputation for software developers, but causes more work to have to be done to try and figure the logic of some of these companies.

    They will not see the error of their ways until THEY are actually affected by this themselves and end up losing money because it's all they really care about. I think someone else already mentioned that most anti-virus companies would benefit from doing this because it would make it seem to the clueless end consumer that the internet is much more filled with viruses than it really is, thus causing more conversions on their end at the cost to the small software developers.

82. Lee Says:
    July 17th, 2010 at 10:18 am

    As a security professional, I understand the issues that non-security minded individuals face. I have used these so call virus/trojan tools... they are not. It's annoying to have to turn off my virus scanner/make an exception to allow these needed tools. Is there something that can be done to mask those great tools from being blocked by the anti-virus scanners. As a forensic examiner, in dealing with live systems, I need to grab critical evidence without the need for av scanners to get in the way.

    Please keep developing these kinds of free tools... You are a trusted site!

83. Javier Says:
    July 23rd, 2010 at 1:29 am

    I am one of those people that constantly forgets their password because for security reasons i have a different one for all my accounts and your programs have really helped me, so thank you and if people think your programs are viruses then they need to learn A LOT about computers.

    Thank You for all your programs and keep doing a great job.

84. MRw0rmX Says:
    July 26th, 2010 at 8:24 am

    Security Essentials from Microsoft (MSE) only detects MessenPass. Why?? Because I could easy and with a little .Net programming transform this app in a deadly IM password stealer. I think that considering thses tools as Riskware is appropriate since is so easy to hackers to use them to bad porpuses.

85. Ramiro Says:
    July 28th, 2010 at 4:36 pm

    I have several utilities one of them is a keylogger for windows, initially i developed it for my own use, we know that a keylogger can be used for good or bad purposes, i can't controll it but i stated it before the installation begins don't use for illegal purposes.

    These years i'am facing the problem of false positives, the users simple are not able to install the software because before the installer starts several antivirus simple delete it. my sales drop 90%.

    If internally we simple use an API example: TerminateProcess several antivirus list our exe as virus, that is stupid!.
    I will try to make noise about this problem. In a few of minutes i will submit an answer to kasper "...Can you send us a description of the functionality of this file? This file is engaged in theft of passwords."

    Thank you for your initiative.

86. Ramiro Says:
    July 31st, 2010 at 1:28 am

    I will save my time writing to antivirus companies, they are not going to remove my software =(, kasper,trend,etc. a new compiled probable could help, but i would like to reproduce the article or idea of Nirsoft.

87. Roland Says:
    August 5th, 2010 at 9:41 am

    I have false positive with Mcfee on portableApps and Xenu - thanks for this article that explains a lot - I could have been one of these users thinking "bad bad developer who put a trojan in their program"!
    byz++
    roland

88. Crow Says:
    August 19th, 2010 at 9:38 am

    We were developing a update down loader for our software. After we finished building the application we went to test it, Works great and very reliable and stable. EXCEPT Vipre and Norton detect it as a Trojan virus.
    So I sent them both an email to see why they are detecting an application made by a developer as a virus?

    I can see their point,using this app for ruthless scams. But we do not even get involved in crap like that.
    The problem is, the definitions are so broad that it detects anything remotely close to the definition.

    For anyone that does not quite follow that line. It's like this: I build a virus detection application that detects the letters A,E,I,O, and U well now it is going to detect and words that contain any of these letters. So all words are going to be detected as a virus.

    We need to demand that they be more precise and specific in their definitions. Right now they have us over a barrel because of this. The fact remains that when it comes down to us or them. The customer will take the side of the anti virus over us. It would seem to me that virus companies would have a developer submit area. Then they could check the file and add it to the definition list of as acceptable.

    Right now all they have is the broad list of what they look for. They need to make a developer submit area so we can submit our apps, and be added to the don't check list.

    If an app is detected as a virus by some piece of crap anti virus program, it is easy to tell the customer their program is faulty. But when Norton and other well known Virus programs pick it up,,that's a pretty hard one to sale.

    I

89. Vagablonde Says:
    August 26th, 2010 at 1:51 am

    Just a Note..I have used your software on several occasions..and thank you for the great work.
    I use Trend Micro..and I have submitted several time false positives to them.
    I receive no reply so I have no idea how they handle that,it has even gone so far as to block your website.
    and if I do bypass that it wont allow me to download anything.

    It does detect your pass software with virus..and I just came upon this blog..so I dont have that information.
    but I do submit as false positive ...keep up the great work !!!!

90. Ander Says:
    August 26th, 2010 at 6:30 pm

    I just scanned NirLauncher 1.06.11 with AVG Free Edition 9.0.851, and it said NirLauncher contained nine "Potentially dangerous objects". So no, it looks like AVG did not do what they promised—to change it to "Potentially unwanted program". Too bad.

    I've posted about this on AVG's forum.

91. Ander Says:
    August 26th, 2010 at 6:35 pm

    In case you're interested, here's the URL of my posts about this on the AVG forum:

    http://forums.avg.com/in-en/avg-free-forum?sec=thread&act=show&id=106153#post_106153

92. Brad Says:
    August 27th, 2010 at 5:57 am

    A lot of the prank programs i use are blocked by norton 360 and are called "security risk joke program".

93. Ges Says:
    August 30th, 2010 at 5:34 pm

    All I can say is keep up the great work...
    Thanks for the useful tools.

94. Camo Yoshi Says:
    September 9th, 2010 at 1:56 pm

    I use ClamAV for Windows and I've a couple ofr problems with UPX compressed EXEs, but nothing severe. NONE of the NirSoft Utilites are detected by ClamAV so I guess I'm one of the lucky ones.

    Either way, After hearing this I may stop installing Avira on my customer's PCs entirely, and use only ClamAV or MS Security Essentials.

95. jbad2208NL Says:
    September 10th, 2010 at 9:25 pm

    AVG also detects false - positive but luckely not all your programs , but still its anoying and even some false - positiv programs that are verified by reliable sites are blocked as "trojans" while their trainers for games
    but luckely AVG is more tactfull with the comment "possible high security threat " and lets me decide what to do .
    unfortunatly like most AV`s the ignore buttons are not showing

96. Jirka Says:
    September 26th, 2010 at 6:17 pm

    Ignore button in AVG deleted just downloaded file in my comp... But AVG found a good way for managing that problem: You can find a possibility to ad a downloaded file to the PUP list in it's "advanced settings", even in the time AVG tells you there is a trojan there... I tried it and the warning message disappeared instantly... I am only afraid that I'll to repest it by unzipping archive...
    But - more: AVG instantly computes and shows MD5 (and saves it for further monitoring) so you can compare it without another tool neede.

97. Tony Says:
    October 24th, 2010 at 1:20 am

    Hello,
    I must admit that my software suffered with this issue for many years until I finally bit the
    bullet and got a certificate to allow me to CodeSign my apps.
    I had thought I would NEVER do this because I saw it as another rip off for small developers.
    However, since I made the choice and filled in the forms my false positives have almost reduced
    to nil. It appears the AV producers take note of the Code Signing!
    Just a thought for us small guys. It is a lot cheaper than having a staff member trying to stop
    the false positives and it really only add one tiny process after the build.
    I personally chose to go with Comodo as their pricing was one of the best. However, if you are
    a small developer like me then please press your request with all such groups they do not give
    them away easily!
    As an example I downloaded your PasswordFox app to try and get my passwords out quickly.
    I expected my AV program to refuce to run it! It did! No matter what I did no go. So I signed
    the app myself! Lo and behold it ran first time.

    good luck!

98. Judi McMillen Says:
    November 2nd, 2010 at 2:02 pm

    I've been having problems with my computer for some weeks now, and in trying to get utilities to correct the problems, I ran into your software programs and it looked like it would help. Unfortunately, everything downloaded went into quarantine, and I can't figure out how to stop it, short of disabling everything which could prove to be just as damaging. I'm stuck, and I am not happy with antivirus programs that constantly identify programs as containing malware, viruses, trojans and the like. Is there not a way to attach a simple code to the program that can be recognized easily by the other major companies? They at least should be looking into this problem. It is why I haven't gone to purchase anything and I'm still running AVG free, it sucks, but what can I do? I mean, what can I do? Is there a website I can make comments on? Or some other place to broadcast my displeasure at what these major companies are doing? Because of them I can't get the tools I need to keep my computer running at top speed. I guess I'm going to have to wipe everything and reinstall windows and start over. And that makes me furious. I'm on disability and can't afford to buy programs like these so I depend on the free downloads to help me out. I'd like to find some way of downloading Nirsoft so that I can continue to use my computer with efficiencey

99. Bob Says:
    November 17th, 2010 at 3:56 pm

    SuperAntiSpyware flagged Mail PassView v1.70 up as a trojan. Just though I'd pass it along. I scanned it with Avira before opening and it was virus free. SuperAntiSpyware must be false positive.

100. Mike Says:
     November 27th, 2010 at 11:49 am

     Hi, Thanks a lot for your great utilities, Nir!

     Yes, false positives are a major problem. One reason that I do not have an AV program running all the time. In fact, I run instead the excellent freeware anti-malware app malwarebytes. It has saved my computer before, and has very few false positives. (Well, the on-demand scanner is free. To buy the background scanner, there is a one time smal fee, for life.)

     I sometimes do an online on-demand virus scan. I just did with the one at Eset.com. I am very glad I had set it to only detect and report, not delete or quarantine anything. It showed seven infections, which got me worried. On closer view though, all were your utilities. That was what brought me here.

     Which AV program has less false positives? Kaspersky? Are all the free ones bad, including MSE?

     It would be good if the problem was publicized in the general press. If more people were aware of the problem, and demanded a fix from the av industry, and refused to buy the products if not fixed, there would be a change.

     I must comment, nowever, on one post I saw above by "Ramiro". He wrote above that he makes a keylogger, which he sells., but that his documentation says not to use it for bad purposes. Ahem.... Are you really that naive? Do you really think that a note in your documentation saying not to use it for bad purposes, will make the crooks go clean, and not use it for bad purposes? I'm sure you know exactly who your clients are, and that most of them probably do use it for bad purposes! Shame on you! I think any keylogger SHOULD be flagged by AV apps!

     Again, Nir, thanks for your great utilities.

101. Allan Says:
     December 3rd, 2010 at 5:57 pm

     Goodware. Your programs are fantastics.

     Best regards

102. Jo Says:
     December 9th, 2010 at 6:50 am

     Hi,
     Thanks, your program saved me alot of time. After moving to a new house I discovered that my password was written on the back of my wifi router that I sent back my internet provider. I have a home network connected with 10 or more devices laptops, pc's, ipads, Wii, squeezebox etc. Norton said "low security risk" but after disabling it - it worked like a charm.
     Thanks again Nir, for your great program, keep up the good work!
     /Jo

103. Nikola Says:
     December 13th, 2010 at 12:50 am

     Why not make your tools open source?
     People will still donate, maybe even more if they truly Believe you that your programs does not incluse spyware.
     And only way they can be sure is if source is available and they themselves are able to duplicate building binary from your source.

     More or less, EVERYONE can say that your program is including spyware, Untill you provide proove that you are clean.
     And MANY sites of many security tools is saying that it is spyware.
     And you can not fight it, unless you are not OpenSource. It is That simple.
     (There are open source licenses that will retain your ability ro control the code and even OWN any code modifications if you wat to, etc)

104. Jan Vorel Says:
     December 19th, 2010 at 2:13 pm

     I have several false-positives with my software. Even if tools are no longer detected after submitting, the next release is probably a false-positive again.

     Almost all my software is open source, but I cannot assume my users to build the software from source, because this is for some projects rather complex and expensive (Visual Basic & PureBasic license). It would be still detected by the AV software, and the user will not spend years analysing the source code to come to the conclusion its no maleware, trojan or anything alike.

     The only real potential dangerous software is my tool "reg2exe" because for the generated files it's really unpredictable what registry information it may import (so it's not encrypted anyway - yet), but under that aspect any setup program can be threatened as potential dangerous - unless the AV checks file and registry access.

     - Sometimes tools were detected as false positives when UPXed, but no longer after unUPXing (maybe UPX changes code a little bit http://sourceforge.net/tracker/index.php?func=detail&aid=2903148&group_id=2331&atid=102331 ).
     - My software installer is currently detected as dropper because he 'dropped' (installed) a (previously?) false-positive software.
     - I once stripped a PureBasic project down till it was only 2 procedures, first calling the second one, doing nothing at all, and the executable was still detected.
     - Another library is detected after creating the dll from assembler code, which only uses synchronisation (CriticalSection), timer and waveIn stuff. No network, no file or registry access, no IPC, no heap usage, no memory allocation/management, all memory reads/writes without any API usage. But maybe recording from the soundcard compromises privacy, even so it can never leave the dll except a program calls the exported API - which itself only returns the spectrum from the recorded waveform.

     At a friend I had 'contact' with SONAR from Symantec and we agreed that program declares any new software as potential dangerous unless a certain amount of users are using it (or have been using?)

105. George H Says:
     December 28th, 2010 at 12:03 pm

     I am a Windows XP user and have not run any antivirus program for years. They all caused more trouble than they were worth. How can people run these antivirus and not know this? I simply have ZoneAlarm firewall installed. I have no idea whether it is working or not, except it claims to scan any files I download.

106. Davide Boschini Says:
     December 30th, 2010 at 2:22 am

     i submitted to symantec the false positive about wirelessnetview at https://submit.symantec.com/false_positive/

107. Bruno Finotti Says:
     December 31st, 2010 at 6:55 am

     I am a IT consultant and find very useful most of your utils, especially mailpv.exe which I use every time I need to tranfer the mail accounts of user who never remember their Outlook password which is stored inside the program. I know very well the problem and think that any antivirus marks at least a potential risk and tries to block it, but I suggest and own just the smart ones that let the user eventually choose what to do, or that can be disabled temporarily (I prefer Avira pro which has many false positives but can deal with them and is very light on the PC). Congratulation for your job that helps a lot to keep easier our job!!

108. Alexander Says:
     January 18th, 2011 at 9:27 am

     Concerning program ProduKey.
     It seems to me, that in some cases some people, preparing packets of programs for distribution, may include virus in ProduKey. For instance Russian program anti-virus drWeb finds virus Tool.PassSteel.469 in ProduKey v1.45, included in packet CPLDAPU. But...the same anti-virus drWeb finds nothing in ProduKey v1.45, loaded directly from web-page http://www.nirsoft.net/utils/product_cd_key_viewer.html
     Your program, sir Nir, is very helpful and nice! Good luck!

109. jakey Says:
     January 21st, 2011 at 10:09 am

     Avira Personal Free Antivirus - Avira happens to be the second most effective one among free antivirus applications. At least, that's how most experts put it. Though, it doesn't come with as many features as Avast - it works fairly well. And the free version from Avira won't claim that it'll protect your PC from spyware. For getting covered against spyware, consider getting something similar to SuperAntiSpyware as this one has its free version too.

110. Steve Crane Says:
     January 23rd, 2011 at 9:29 am

     Another False Positive from AVG:-

     " Re: VVSAMPLE analysis

     This e-mail is an auto-response message. Please do not reply.

     AVG Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

     Further information about the verdicts are available at our website:
     http://www.avg.com/faq-1184

     "E:\Downloads\NirSoft (Nir Sofer)\ProduKey\ProduKey.exe" - detection is correct

     Best regards,

     AVG Customer Services
     AVG Technologies
     website: http://www.avg.com "

     Ah, well, glad to see they're taking measures to improve!!! At least they now give you the option of wasting yet more time convincing them that they're wrong. Thoughtful chaps (and chapesses):

     "The files you have sent us from your Virus Vault were analyzed, and the results are in the e-mail you have received. Here is a description of these results, and information how to proceed further.

     1. Correct detection

     In case the file is detected correctly, it will not be removed from the AVG detection. If you believe that the file should not be detected by AVG, please contact our Technical Support.

     If you decide to keep the file and use it with the risk of possible payload it may carry, you can restore it from the AVG Virus Vault, and manually exclude it from the AVG detection:

     * If the file is detected as a Potentially Unwanted Program
     o Please open AVG - menu "Tools" - "Advanced settings" - "PUP Exceptions".
     o Click "Add exception" and browse to the file.
     * If the file is detected as a virus
     o Please open AVG - menu "Tools" - "Advanced settings" - "Resident Shield" - "Exceptions".
     o Enable the option "Use excludes in Resident Shield" and "Add path" to the folder which contains the file.
     o Please note that the file will be still detected by AVG test. However, you can disable automatic healing in AVG - "Computer scanner" - double-click on scheduled scan - "How to scan" - disable the option "Automatically heal/remove infections". "

111. Morgan Says:
     January 24th, 2011 at 3:17 am

     I am a small shareware developer of different utilities. One of my utilities is a monitoring tool for parents. While 99% of my users are perfectly legitimate - for years I am getting hurt by the antivirus companies, which not only call EVERY file of my app a trojan or virus, but they also call my other tools (which are not even monitoring software) VIRUSES and TROJANS. My website had a problem of constantly being added to a different black lists just because of false positives, so I was forced to REMOVE all downloads from the website and move them to another domain just to prevent my website from being blacklisted. It's interesting that the same tools uploaded to download.com are NOT being blocked.
     The idea of contacting the AV vendors regarding the false detection is not very good, cause:
     1) Sometimes you need to fill a RIDICULOUSLY long web form asking all possible and impossible questions (like MCafee offers), and they don't even promise to serve your request. They even write that "if the request looks suspicious, we won't serve it". Moreover, MCAfee has up to 6 MONTHS response time listed!!!

     2) Even after removal of your tool from their bases it will be certainly added after some months.

     So these tools destroy my reputation and frustrate my customers, also the download sites are flooded with a comments that my software contain trojans. I repeat, even the absolutely safe software like a developer's IE plugin is getting marked as malware just because I have ONE tool which is a monitoring software.

     MOREOVER, even after I removed all tools downloads from my website, I have placed a "dummy" files in place, which just shows warning that the download location is obsolete. Symantec CONTINUES to mark those downloads as VIRUSES!!!!

     That's just ridiculous, and there are NO LAWS which could make AV companies responsible for this reputation and business damage. I even think to go aways from windows utilities development and go to Mac, since Mac is not that populated with antivirus crap yet.

     Recently I did read an article, where Kaspersky prepared a harmless file, marked it as a virus in their database and uploaded to VirusTotal.com
     After some time, more than a half of other antiviruses on virustotal started to call that file A VIRUS, although it was initially clean!!!!

     The things are getting worse every year, cause antivirus companies are using more and more aggressive ways of detection and obviosuly become more virus and spyware-like themselves!

     Most 2011 antiviruses ARE SENDING INFO FROM YOUR COMPUTER TO THEIR HOME by default - for "better protection". Including websites visited and apps opened.

     What is this, if not a spyware??

     Some apps like Kaspersky Pure are so bloated and integrated into every hole of your system, that it looks like your PC is designed to run ONLY this antivirus software and nothing more.

     After getting the antivirus installed, a user is being constantly scared by different "threats" and messages that he is "not protected" and SHOULD PAY for protection. But actually antivirus DO NOT DETECT a new and really dangerous threats, especially rootkits, but detect lots of legitimate apps as viruses. It's really reminds a Mafia world where you should pay to bandits to stay "protected".

     And of course, many antiviruses consume more than half of your computer resources, and many real-life Windows PCs I saw with antivirus installed are so slow that they're almost unusable. Yet the antivirus companies claim the malware makes it slow, not their apps.

     I believe a shareware authors should create an association which will fight with these issues until we'll be defeated by so called "security" companies! The association should be monied up with donation, so we can SUE the AV vendors and get paid for the reputation and money loss! They should become RESPONSIBLE - and before this they will be worse and worse.
     Antivirus companies SHOULD PAY for the damage they make!

112. Headaches Says:
     January 25th, 2011 at 1:01 am

     The attitude of many Antivirus companies is very tough in this subject -
     If it's a tool that can be used by bad guys

113. Morgan Says:
     January 25th, 2011 at 10:19 am

     a simple rock can be used to smash your head or to build a wall!
     Windows IS used to write viruses - and it's impossible to write a Windows virus without Windows!
     Internet IS used to spread viruses!
     Also, the funny thing is you are forced to pay them for the lack of security in Microsoft software! Thus you are paying for Windows not just once, but regularly!

     Antivirus software is unique market area - it has HUGE profits and absolutely NO responsibility!
     That should not be forever, the customer should FORCE them to be responsible. If you are buying the antivirus and then you have a virus problem, THEY SHOULD PAY for that. Insurance companies are paying. What is the difference?
     This criminal business should be stopped!

114. David Sutherland Says:
     January 25th, 2011 at 4:09 pm

     I'm behind a corporate firewall that apparently detects WirelessKeyView is a virus -- but I don't even get a warning -- all I get is a corrupted download -- a 12K file instead of the 56K file. If I download from download.com or from nirsoft.net I get a shorted file -- apparently the firewall is clipping the file -?!?

115. ANN Says:
     January 31st, 2011 at 2:12 pm

     PRODUKEY_SETUP.EXE was detected as trojan HEURISTIC.ADH by Norton Internet Security free trial and quarantined. Norton's scan is still in progress. When it's finished I shall have to restore the file and put it in the exceptions list. I downloaded it several days ago from Nirsoft. Microsoft Windows Security Essentials, which I was using at the time, did not object to it. I only installed the Norton free trial the other day. The first install did not go in properly and I had to uninstall and then reinstall it! I am very annoyed at the amount of time, two and a quarter hours, Norton's false positive has taken me to research and come to some conclusion about what to do with this Nirsoft file. I think I shall go back to MSSECES when the Norton free trial is finished!

116. Lee Says:
     February 3rd, 2011 at 9:27 am

     Would it be that hard for you to start digitally signing your applications and installers using an Authtenticode key obtained from a provider such as Thawte? At least that way users could be reassured that the products you provide have not been tampered with since you built them. That would go a long way towards reassuring users that you are a legitimate developer.

117. Dean Says:
     February 3rd, 2011 at 1:06 pm

     A group of us in IT actually caught a typical English Sheep Shagger in London who was attaching a trojan stub to NetResView and USBView. He was an 'insider' and had been doing this for weeks.
     Two problems arise. The genuine programs on Nirsoft that are detected as viruses/trojan's/stealers etc and unscrupulous people who are packing real viruses etc to your programs.

118. Make this viral around the web someone will take note and act Says:
     February 11th, 2011 at 5:51 pm

     Problem i see many antivirus companies get it wrong is because the way the file is packed or similar.

     If all anti virus, malware, trojan, adware detectors had a shared vast databased for uncompressing all archives including dos files and files from old computers. Then there would be very little positives and false positives.

     Yet then those companies who make the anti virus, malware, trojan, adware ect softwares would have little or nothing to do. They say this is what they would like most of all, i doubt it since they are all money orientated. If there were less do you think xyz protection software would still be free for home users.

     What of the companies that think there exclusive package should not be available for anti virus, malware, trojan, adware checking softwares. The way i see it if i cannot unpack it with tools like universal extractor then i never use them. Which includes many famous comapnies softwares, true i don't run many softwares at all compared to some people. I have them just not yet got round to trying them. Someday maybe site in a virtual windows os using snapshots to try them. The way i think of those softwares why hide for anti virus, malware, trojan, adware softwares. And then by hiding from them tey must have bad code in them, wonder if the companies ever thought we think of that.

     Of course i do know nirsoft softwares that are downloaded rom nirsoft are safe. And yes anti virus, malware, trojan, adware do compalin but still i use them. Its the way it is now for many user and software nirsoft or not. I wonder sometimes if i really ever need any anti virus, malware, trojan, adware software since i don't really trust any for a long time.

119. LMI Stealth Says:
     February 20th, 2011 at 10:37 am

     I agree with you 100%, AV sucks !

120. Dave Kimble Says:
     February 25th, 2011 at 6:33 pm

     I am well aware of the problem of false positives, so when I downloaded SocketSniff and it was blocked at start up, I went back to the download page to see if there was any warning that this might occur with some AV programs. There was no warning, only an image saying "virus free". This is useless, because "they would say that, wouldn't they!".

     So I downloaded the package from another site, and it did the same thing. This makes it more likely that it is a false positive, but it doesn't completely eliminate the possibility that it really is a virus.

     The next step was to search for "SocketSniff virus", expecting to find sites that report whether it is, or is not, a virus.
     With AutoHotKey you quickly find lots of agreement from users on the fact that it is a false positive. Not so with SocketSniff. All the sites I looked at said previously existing malware on the PC will hijack SocketSniff and use it for their own purposes. There was no mention of false positives. Under the circumstances, the wise user will not use the tool.

     Even on this page, there is no mention of SocketSniff being treated as a false positive.

     What I suggest you do is :
     1. change all your download pages to alert users to the possibility of the false positive. You could even list the AV programs that you know do report it.
     2. create individual web pages for each package with "SocketSniff" and "virus" in the title, so that search engines give those pages a high ranking. The content could be just a copy of this page, but the more specific the better.
     3. Create an MD5 hash of the download file and put it on the download page, so that people can check for themselves that the file is the original and hasn't been hijacked by hackers.
     4. Be open and honest about the situation up front, instead of hiding the possibility and having to deal with unhappy users afterwards.
     5. For SocketSniff, change the way it works so that SocketSniffHelper.dll doesn't suddenly appear out of nowhere in the start-up process.

121. Somebody Says:
     February 26th, 2011 at 5:53 pm

     Well if the program worked, it would be great, but it is quite apparent that you have not updated since changes starting back in Nov-10 I was advanced programmer for 8years and have been consultant for 20 well aware of problems - also Know exactly most of changes that MS made that is currently preventing your program from working at current time, just download and tested again on Vista 64bit and you need to update and as most people are already aware, MS has again just in last week again made significant changes requiring many companies to update their software - anyway I don't program any more and have no desire to, so good luck! I have verified is virus free but it still does not work. Good luck and I wish you success!

122. rrealgon3 Says:
     March 3rd, 2011 at 1:01 pm

     A "hacker" just deactivate the antivirus!, so the false positive is really stupid for users. Agree with you.

123. Haley Milano Says:
     March 7th, 2011 at 7:22 pm

     We had this exact problem happen to us twice. We have developed 2 small windows applications using the .NET framework and they both keep triggering false positives. It took us a while to figure out a way around it. Antivirus companies have gone too far.

     -Haley

124. John C Says:
     March 14th, 2011 at 6:16 am

     Almost two years on and Microsoft's Forefront Client Security still flags Passview (iepv.exe), Mailpassview (mailpv.exe) and Msnpass (mspass.exe) as "HackTool"s (Medium security risk), and worse, VNCPassView.exe as the trojan Win32/Dynamer!dtc, completely blocking access «sigh».

     «Double sigh» - even when explicitly selecting "Always allow" option, Forefront overrides the user (my!) choice with "Remove" - AFTER I click "Apply Actions", thus deleting the software, whether I want to or not

     Stoopid AV (actually it's a fairly decent AV *most* of the time, but every so often...)

125. John Says:
     March 17th, 2011 at 11:07 am

     I had the exact same problem with Forefront Client Security. Now I bought AVG Threat Labs (avgthreatlabs.com) and it didn't block Mailpassview or Msnpass, which is a good thing. It also scans quickly every page that you attempt to access, so I think it has performed well so far.

126. avd Says:
     March 17th, 2011 at 12:30 pm

     Microsoft security essentals gave this warning. I am now uninstalling that software.. One of the rare cases where false positive affect the antivirus company rather than the developer. I got this with IEpassview

127. avd Says:
     March 17th, 2011 at 1:08 pm

     also, to check which av products give you a false alarm, upload your file to http://virusscan.jotti.org

128. Jason Says:
     March 22nd, 2011 at 10:52 am

     I write perl scripts and turn them into executable files with perlapp. For a long time, the compression with perlapp was frankly terrible. I used upx to get a much smaller file until, you guessed it, AV companies started flagging the file as a virus. If I change the method of compression to use perlapp instead of using upx, the message went away. The script was unchanged, but apprently, just because some virus writers liked the compression they got with the free / open upx, I am now a criminal. I reported it, of course, but it keeps coming back.

129. Ken Says:
     March 25th, 2011 at 7:23 am

     All I can say is, I have had enough of all these False Positives. I have been developing applications for over 25 years now, ranging from web apps to desktops, and I have had to stoop, yes stoop to levels I never dreamt possible, just to get my applications to run. If anything AV companies are making us into hackers! I suggest a ban on all AV products just to get the point across, that AV companies need to listen to developers worldwide and not just the money... How can a program with +- 9000 man hours be a virus? Get real, no one is going to spend that amount of time developing a virus, there is no money to be made!

130. MH Web Developer Says:
     April 5th, 2011 at 7:46 am

     WELL SAID! I've struggled with this issue myself. One time I had a battle with Emsisoft over it and I and my PC lost (initially). One possible solution might be if we can identify a (what I call) Honest anti malware company. One that calls a spade a spade. For instance if it scans and finds a keygen, it says it's a keygen used for this and that and can be dangerous. I don't program software but I do repair PC's and quite often you need some creative tools to get to the bottom of things.

     So, does anybody know of or have experience with a antimalware program that is honest according to my definition? If so I say we drop the programs we use and buy it and use it. The developers will get the message if their income drops.

     Now, that being said, I've actually had experience recently with three that did this somewhat. Strangely enough, one of them was Emisoft Anti Malware. It tagged a few viruses and identified a couple of my creative tools as potentially harmful and it tagged the real threats for quarantine and left the others untagged with a low danger rating. I almost fell off my chair. The other two (and I'm not saying they are perfect) were Avast and believe it or not, Microsoft Security Suite I think it's called.

     Anyway I would love to know which antimalware programs provide honest disclosure. After all, aren't they supposed to be protecting the paying customer from malware?

131. Stu Says:
     April 8th, 2011 at 5:10 am

     John,Yo, i think you got AVG antivirus (http://www.avg.com/us-en/internet-security) and not ThreatLabs (http://www.avgthreatlabs.com), that's a threat detection website. Unless I’m mistaken?

132. Kobe Says:
     April 14th, 2011 at 4:48 am

     John, misunderstood, you must have bought an AVG antivirus and not the AVG ThreatLabs - that is their website rating and security site.

133. Alain17610 Says:
     April 20th, 2011 at 6:03 am

     mailpv.exe is not detected as a virus in Windows. It is only when Avast V6.0.1086 is launched at startup.
     Fortunately I had a backup on external hard drive !

134. Matt Says:
     April 20th, 2011 at 7:53 am

     John, I think you’re are a bit confused. AVG ThreatLabs (lhttp://www.avgthreatlabs.com) is a threat detection website and not a piece of software . TL is a cool tool though, as it helps keep you safe when visiting any site.

135. Adam Says:
     April 29th, 2011 at 11:22 pm

     Hi,
     I am willing to help you, you're not the only one having this problem I know of a lot small dev with the same problem.

     As far as I am concerned, I'd say without exageration that 80% of most dangerous viruses out there are manufactured in "Big labs" I don't care what anyone says, as far as I am concerned they are behind most viruses out there "Let's call a cat by its name"

     Think about it, why would they distribute viruses? Simple they make you buy their s**** and keep updating it.

     Sometimes they even use third parties to distribute their rubbish on the internet and suddenly yeahhh They have the solution.

     Not to mention the ones when don't detect, spying on us 24/24 .

     The same think with pharma companies they don't make drugs to make you feel better they create the diseases and create a drug tthey will make you even sicker and when you start to feel worse they test another drug on you by the time they took all your money it's time for you to die.

     You think I am exagerating?? Good keep thinking that way. check it out for yourself.

136. Alicia Says:
     May 14th, 2011 at 6:10 pm

     Today I downloaded the zip file of WinVideoCap and right after I extracted all the files, the folder was quarantined by Immunet 3.0 w/Clam AV. It said WebVideoCap is malicious.<---THIS IS A FALSE POSITIVE!

     WebVideoCap is FINE! Nothing malicious about it!

     I opened Immunet and changed the quarantine option from automatic to ask me. Then I copied the files inside the zip folder and put them into another folder. Problem went away. Now I can use the software like normal.

137. Andrew Weiser Says:
     May 16th, 2011 at 1:48 am

     I totally agree. I have been selling shareware screen savers for over 10 years, and every now and I then I get an email from a customer telling me that their antivirus program has detected Trojan XYZ in my screen saver and deleted it from their system! The customer then comes to me for help. It's usually Norton and Symantec who are the worst offenders.

     I used to use a packer (ironically to make it a little harder for people to steal my software), but got even more false positive reports from various antivirus tools, so had to unpack my installers.

     I'm getting sick of dealing with it. I wish the big A/V companies would just pull their heads in. It's tempting to think that they cause more problems than the viruses they supposedly protect us against.

138. Ashwinikumar Says:
     May 23rd, 2011 at 11:18 pm

     That's why I always set my antivirus (Avast Free Edition) to ask me what to do when a threat is detected. I find it is not always a good idea to set the automatic handling of an action in any security software.

139. samy Says:
     May 25th, 2011 at 9:40 pm

     Microsoft security essentals gave this warning. I am now uninstalling that software.. One of the rare cases where false positive affect the antivirus company rather than the developer. I got this with IEpassview

140. FrozenFire Says:
     May 26th, 2011 at 10:57 pm

     I tried many of know anti-viruses.
     But almost all of my programs was
     identified as virus.

     The problem won't stop there!
     the anti-virus program was also
     removed some of the critical system files
     of my windows 7!

     Now my computer cannot use automatic
     hardware installation and web browsers!

141. gluxon Says:
     July 11th, 2011 at 10:15 pm

     This is why Open Source Anti-viruses are the best. http://www.clamwin.com/

     Their focus isn't corporate profit, but rather, serving the user.

142. anon Says:
     July 12th, 2011 at 9:32 pm

     @gluxon

     Unfortunatly Clam-Win doesn't have a real-time scanner, other than that it's a great software.

     A quote from the website (clamwin.com):
     "Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware."

143. Arnold Says:
     July 18th, 2011 at 1:53 pm

     I can only add that your software worked for me. Thanks...

144. Michel Veigh Says:
     July 31st, 2011 at 7:46 am

     If Anti-Virus mistake -- and they do! -- obviously the consequences are not only on the mistreatment of the software incriminated as virus/malware when only a false-positive, but as well the confidence/doubt of the user regarding other alerts : who, why, when to believe or not.

     Finally, reputation helps, and Nirsoft has the reputation of quality and healthy applications. This is where I stand, when in doubt : what I know and have read of the developer.

145. Arno Says:
     August 3rd, 2011 at 9:10 am

     Hello,
     I use Kaspersky Internet Security 2012. I tried to download the NirLauncher ZIP File with all the Apps included. After the Download is complete, Kaspersky searches the File and detects niffpass.exe as a Hack Tool. Kaspersky instantly cleans the ZIP File from this App. The result is the following: WinRAR told me the ZIP Package is damaged and cannot be extracted. This makes the complete Launcher App useless.

146. Ed Says:
     August 6th, 2011 at 1:21 pm

     08-06-11 12-13 pm

     OMG,
     Your article is as pertinent today as ever.
     Kapersky was just installed on my machine, and before I knew it ..... it was deleting programs I had written !

     With Kapersky go to Settings, Box icon then go to Threats and Exclusions Top Settings Button on right.

     Uncheck stuff like suspicious compressed packages. and malicious tools.

     Trouble is you hate to tell the client of your software to do this 'cause he isn't smart enough to believe you.

     Is the answer to use code signing?

     ..Ed

147. Andy Says:
     August 11th, 2011 at 5:31 am

     Turns out even Microsoft get false positives from time to time... the latest Symantec definitions get a false positive on a 12 year old demo program from the classic Microsoft Press book "Programming Windows with MFC" by Jeff Prosise!

148. Danilo Says:
     August 18th, 2011 at 5:48 am

     Well, I tryed today to download ShellMenuView v1.15 as zip file.
     Immediately, at "unzip_to_folder" step, the Sophos AV installed in my machine recognized the executable (shmnview.exe) in the zip file as adware/PUA "NirSoft", classified as "hacking instrument", then quarantined it.

     Who/what should now I trust: the AV alert/the utilities author?
     Honestly, it's nort an easy decision... (essere o non essere )

     (sorry for the poor english)
     Danilo / Rome (Italy)

149. eric zaetsch Says:
     August 27th, 2011 at 8:19 am

     I have a friend who owned a computer-communication services company. From OEM discs he installed Win XP and Office 2003. Years ago. I tried to load a Microsoft downloaded math module into it, got to the program point where it said insert the CD. I had none, so backed out of the program. After that, every time I tried to cut/paste plaintext from an editor or text from an HTML page, it restarted an "install" thing that had to be canceled twice before the cut paste happened. Needless to say, it made the product useless. I did some web reading and learned of the product code garbage, where a valid install [one Windows Update checks and likes] can become problematic. My friend had since sold the firm. By asking he had the new owner send a technician to my home, the "fix" being to use the current OEM Office install disc, and put Windows 2010 onto the box. Without leaving product key info. As with the first time. In searching for a key recovery software I encountered one highly rated that had a free version, and a paid upgrde. The free would not decode the Office 2010 key, and said purchase the upgrade. Another download, from an Indian firm, freeware, simply said it could not decode the Office 2010 key. Nirsoft Produkey was the third I discovered. It worked, I have key info securely stored. Great. In downloading Nirsoft I read a bit on the website. Current free Avast scan and current Malware Bytes both claimed infections - differently named, with naming seeming as creative as the pharmaceutical industry's - but not saying it was serious. However Avast on the first quick-scan after downloading quarantined Produkey.exe and the archived install file. I had to restore them, and try to make sense out of two quarantined System Volume Information files [probably produced after the Nirsoft download-install]. I restored stuff, and then did directory scans with Malware Bytes and Clam. Clam said the Sys.Vol. files and Nirsoft were okay, infection free. Malware Bytes said Sys.Vol. okay, but noted Nirsoft.

     I post this in case others have not just Nirsoft noted as a 'problem' file, but also get Sys.Vol. files quarantined.

     User access to the Sys.Vol.Info. directory is blocked in my config of Windows XP [I do not know if this is generic] but the AV scanning programs can access it. However, when Avast quarantines a file you cannot get date created info in the UI of Avast, nor from Sys.Vol. Info - at least I could not. Hence I presume that the two Sys.Vol.Info files Avast noted, but Clam and Malware Bytes reported as not infected, were quarantined by Avast after the Produkey download-install.

     Any other users having a similar experience, or better troubleshooting knowledge, are asked to post, including the real-time AV or the scanning AV that is in use. Avast, I am reporting.

150. Roger Says:
     September 17th, 2011 at 3:41 pm

     Downloaded iepv about a week ago, and Eset NOD32 is fine with it. On the other hand, get a PUP detection with Malwarebytes. Just told it to ignore the file, and all seems good.

     Thanks for the software, works well, does it's job nicely.

151. concerned_developer Says:
     September 26th, 2011 at 3:30 am

     In order to provide ACCOUNTABILITY and TRANSPARENCY about this plague of both false positives, and now, the even more serious issue of mis-rated web sites, we have founded a CENTRAL REPOSITORY where false positives and mis-rated sites can be listed. Please see http://falsepositivereport.com .. This is a non-profit, open, community site dedicated to saving small businesses from this terrible plague, and making AV companies accountable for their actions.

     Further, consumers can see which security vendors CARE about this issue, and which don't. Based on that, they can make their purchasing decision.

     This site just went up 1 day ago and has grown fast already ... It is SO important to have a CENTRAL location so that everyone can see how bad this problem is.

152. Nirav Says:
     October 2nd, 2011 at 1:04 am

     Why dont you create your own antivirus. I love nirsoft, and all your software are really great.

153. Azeddine Says:
     October 3rd, 2011 at 3:06 pm

     I think, regarding some Antivirus companies (AND OTHERS), that it is first of all a moral-ethical business related question. If the selling of a product mostly depends on and thrives on the fear a company instills in the consumer, if he or she does not have a particular product or the belief that thanks to said product you are safe, extending the practice to showing False Positive Alerts, as a mean to convince you that the product is worth having, then it is purely and simply a con artist business.

     I suggest that we consumers should do our part to force those companies that incur in such conduct that we do not accept False Positive Alerts. How? Simply contacting the company and telling it that it should add the product to their SAFE DATABASE, or issue a revue report telling why the product is UNSAFE.

154. Ralphurion Says:
     November 15th, 2011 at 10:40 am

     Sounds like it's time to gather all the smaller devs up and launch a class action suit. This problem will not go away until someone does something to get the big av developpers to listen, litigation is usually good for that.

155. Joep Says:
     November 16th, 2011 at 5:31 am

     It is annoying as hell. Today (not the first time) dealing with Avira because the flag 2 of our download as 'potentially' dangerous. I only discover this because I am using Avira myself, but God only knows what the others are doing.

     This really hurts my small business and it really pisses me off big time!

     What also bothers me is that the owner of the website isn't notified. Can be a week or longer before you find out that some ass-wipe virus scanner is flagging your software as malware etc..

156. Robert K Says:
     November 23rd, 2011 at 2:29 pm

     I've made a program in Autoit 3 to update my own Apps made in Autoit 3 too. But now my update app is detected by Kaspersky as Troyan Heur. The worst thing is that it deletes the file instantly so I can't even take no action. Is there no standard way to program some kind of update program without being detected by the AV? This is annoying.

157. Ryan R Says:
     November 24th, 2011 at 2:25 am

     I am a very computer-oriented person. I've had my laptop for about a month now, maybe less, and there's less than 10 GB left of my 1 TB hard drive. Within all that used space, I have thousands of programs, many of which I or my friends wrote. It is very annoying as a developer to write a program, and as soon as you save and exit, it gets deleted by my anti-virus. There goes 3 hours of hard labor. As a user, I've had to download the same programs over and over and over and over and over... and over again. Ugh... what a pain in the butt. Most of my programs include game-specific macros, or calculators. Many of my programs are keygens (how I have a $60/yr antivirus registered for 50 years). I have yet to see a clean keygen skate through the hoops of my antivirus software. Thankfully, I use sandboxie frequently, otherwise I'd have a virus that does make it past my antivirus that I downloaded expecting another keygen. Figures, right?

     If we could in some way get the antivirus companies to create a global whitelist, and work together to determine if the 'false-positives' are really false... hopefully we can minimize the hassle associated with false positives. I also know of a few programs that are intended to crypt other files into FUD (Fully UnDetectable) files, passing the worldwide antivirus test. These programs completely annihilate the antivirus software. It kinda makes me wonder why I even have an antivirus. Maybe when the antivirus companies give me more relief than hassle, I'll stop jacking their products.

     Had to vent,
     Ryan R.

     P.S. Even though I am a pirate, and have lots of expensive programs free of charge, I do donate to the respective companies an amount that i believe to be fair for what the product offers. Microsoft word for example, a hundred dollar program. Sooooo not worth that. Media converting tools, like those offered by Prism, are not free of charge. I initially got them for free, but decided to donate $10 ($5 per program). So see, pirates aren't as bad as the MPAA and RIAA make them out to be.

158. Ken Says:
     November 26th, 2011 at 2:38 pm

     These false positive need to be addressed by the anti-virus companies. I needed this tool to get my licenses and to date I've had no ill effects. Norton and SuperAnti both gave it the okay but Malware Bytes had me worrying when I first ran it. Guess I won't be licensing MalwareBytes if they are not going to follow up on their false positives.

159. Dave Says:
     December 18th, 2011 at 1:43 pm

     Have had Microsoft Security Essentials on my PC for a while. Did a FULL file scan for the first time (the default is a weekly quick scan) and it detected IE PASSVIEW as a potential threat: HackTool:Win32/Passview

     MSE wants to remove or quarantine the file iepv.exe (which is still in your original zip file)

     I shall trust you and the other opinions on this website and treat it as a false positive.

160. Snowed_In Says:
     December 28th, 2011 at 11:18 pm

     Wireless Network Watcher, just gave my AVG and Malwarebytes conniptions!!
     All my other Nirsoft apps have been OK.
     Previously I've had issues with Sysinternals, some GRC utilities and some custom built apps by developers in our workplace with CA products and more recently with Symantec...
     All with products we need to do our work!!

     Many Thanks and keep up the great work!

161. Jerry Says:
     January 4th, 2012 at 11:14 pm

     If you don't use a password manager you get to choose between the impossibility (for ordinary memories) of remembering the diversity/complexity of them required by meaningful security, or using the same well worn ones and compromising the reason for their existence. Therefore having a little program like this is a helpful option. After the download Webroot immediately placed it in quarantine, necessitating restoring it over security warnings. Having also recently added a secondary program for registry cleaning (with some functional overlaps with Webroot) I was glad to find that altho it too had flagged the new program - upon opening it - it also provided a choice to "add to exclusions" with a single click.
     Thanks for your efforts in making this available Nirsoft!

162. luke Says:
     January 13th, 2012 at 2:47 pm

     We often need produkey. I like winprefetchview too (e.g.). To get the nirlauncher trough network and protect it from antivirus we zipped the folder with passwordprotection, deactivating av before unzipping it on targetmachine...
     avira, avast, mse, they all produce false positives. THX Nir!

163. The Rover All Over Says:
     January 19th, 2012 at 12:47 pm

     My friend could not get his mail in Outlook Express kept asking for his password after his computer was fixed by an (so called) expert in a computer shop. My friend entered his right password but it did not work.
     I used Mail Passview v1.77 to find out his password and it reveled a different password a new one that the expert had changed it to. So you can not even trust people in Computer Shops.

     I scanned the program with Avast and it was clean no false positive.
     Malwarebytes reported that mailpv.exe file was infected with (PUP.MailPassView) so I put it in the ignore list.
     I tried it on my Thunderbird and it found my password in about 2 seconds.
     Best program for looking up lost passwords in email clients.

     Will try some of your other programs and then in the near future will donate.
     THX Nir

164. Chaks Says:
     January 24th, 2012 at 3:26 am

     McAfee antivirus gave me this false positve few months back when i was reviewing few of your tools.

     TechSmartLife

165. John Says:
     February 1st, 2012 at 9:14 am

     we can act by the BETTER way, worked many times: developpers, in your site, just add a text like that:
     "if you want to use this program, you must uninstall [antivirus name]" then send the url to the fucking antivirus company, to the commercial service, not tech. if any fucking commercial man of this shitty money drainers company see that, he will immediately ask his team to unbadword the program to stop potentially cash loss of users uninstalling antivirus

Leave a Reply