Antivirus companies cause a big headache to small developers.

Antivirus is essential tool that most people need to protect their Windows operating system from Viruses, Trojans, and other bad stuff.

Unfortunately, most Antivirus companies goes too far with their Virus/Trojan protection, and in many times they classify completely legit software as Virus/Trojan infection.
One good example for that is my own password recovery tools: Most people need these tools to recover their own lost password. These password tools, like many other utilities out there, can also be used by hackers for bad purposes.
The attitude of many Antivirus companies is very tough in this subject -
If it's a tool that can be used by bad guys, it's classified as Trojan or Virus, even when most users need it and use it for good purposes. Antivirus companies don't care that they block their own customers that want to recover their own passwords, and they don't care that they may cause their customer to think that I'm a Virus distributer.
I must say that some Antivirus companies are a little more gentle, and classify these tools as "Security Threat" or "Riskware" which is much better than classifying them as Virus or Trojan, but they still prevent the user from running them - by deleting them or by putting them in quarantine.
Also, many users don't know what is difference between Virus and Riskware, and when they get these "Riskware" alerts, they still think that my tools are infected with a Virus named "Riskware".

My password-recovery utilities are not the only victims of the "over protection" made by Antivirus software. Some other tools, like ProduKey, RegScanner, WebVideoCap, NirCmd, and others that don't recover any password, are still constantly targeted by Antivirus companies, without any known reason.

Other developers also have "False Positive" problems

Other small developers also constantly experience false alerts made by Antivirus software, here some examples:

What about large companies like Microsoft ?

Large companies usually don't have any false positives problems, and even if there is a single case of false alert, the antivirus company will probably fix it very soon. After all, antivirus companies know that Large companies have good lawyers and if they won't fix the problem, they may find themselves in a large lawsuit for libel.
One good example is SysInternals. In the past, their psexec.exe tool that can be used to execute code on remote machine, was detected as Virus by some Antivirus programs, but today, when SysInternals is a part of Microsoft, All Antiviruses show it's clean, as
you can see from this VirusTotal report.

Examples for emails I receive on daily basis

Here's some examples of messages regarding the virus alerts, that I get to my inbox on daily basis:

  • "Your mspass.exe is infected with Virus"
    "You have Trojan horse in your Mail PassView utility"
    "your ProduKey is a Trojan, be ashamed !"

    These messages are sent by users that really think that my tools are infected. I cannot blame them for thinking that, because the Antivirus really tell them that there is an infection.
    Most Antivirus programs don't explain the user that the alert is displayed only because it's a legitimated tool that might be used by hackers.
    They simply tells the user that the tool is infected with Virus or trojan, even it's not really the truth.

  • "I try to run your program and it says that I don't have permission"
    "I try to run your program, and I get the following message: 'Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item'"
    "I try to run your program, and nothing happen"
    "Each time that I download your program and extract the files, the .exe file disappears"

    These messages are sent by users who think that there is a bug or problem with my utility, without knowing that this problem is actually caused by their Antivirus.
    In some circumstances, the Antivirus software runs in the background, and when it detect a threat, it simply block the .exe file, put the file in quarantine, or simply delete it, without telling the user anything.
    The frustrated user think that there is a problem in the software he tries to run, without knowing that the Antivirus software, that should protect his computer, is actually the troublemaker that causes this problem.

  • "When I try to get into utilities section of your site, I get 'the page cannot be displayed' error"
    "You have a broken link in your site - When I try to download your ProduKey tool, I get 'the page cannot be displayed' error"

    These messages are sent by users who think that there is a problem in my Web site, because they cannot browse into a Web page in my site or download a utility from my site. But once again, this problem is caused by Antivirus or Firewall that decided to block my Web site without explaining the user about the site blocking.

    Zonealarm products, as opposed to others, redirects the user into a Web page which says that "nirsoft.net has been known to distribute spyware", which is completely untrue.

    This web page also offers to report about false detection to False_Positive@checkpoint.com. I really tried to do so, but I received the following error message from their email server:
    ----- The following addresses had permanent fatal errors -----

    (reason: 550 5.1.1 ... User unknown)

    As you can see, Zonealarm provides an email to report about false positives, but it's a fake email address that nobody really reads.

Needless to say - all these virus-related email messages that I receive every day are a big headache and require me to waste my time on answering/handling them,
instead of adding new features to my utilities and updating my site.

Why don't you contact the Antivirus companies ?

Some people ask me, "Why don't you simply contact the Antivirus companies to resolve the false alerts issues ?"
So here's some important points:

  1. There are dozens of Antivirus companies out there, and with combination of more than 100 utilities in my site, false alerts appears and disappears all the time. Handling all these false alerts may require an employee with full-time job, even more than that.

  2. If you look into the Web sites of some Antivirus companies, you'll easily find a large "Buy Now" button, but you probably won't find any "Report About False Positive" link. Antivirus companies always want to make more sells, but they don't really care about false positives in their products. They usually hide the option to report about false alert very deep in their Web site, and some of them gives "False Positive" support only for users that purchased their product.

  3. Even when I find the method to report about a false alert, deeply in their Web site, most of the companies don't answer the requests at all or simply send an automatic message, saying that the sample that I sent is infected. In some cases, The Antivirus company fix the false alert problem in their next update, but without admitting that they had a false positive, and without sending any apology to me, as a developer.
  4. False Positives usually come back: Even when Antivirus company finally fix a false positive, it's just a matter of time, until the false positive returns again, with a new Virus/Trojan name.


Help me and other developers !

If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.

What can you do ?
Here's some examples:

  1. Add your comments to this article about False Positives problems you experience (As user or as software developer)
  2. Send this post to your friends, so they'll know more about false positive problems.
  3. If you constantly pay for licenses and updates for your Antivirus software,
    don't hesitate to call your Antivirus company and require them to stop the false alerts.
    You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses.
  4. If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
    Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.

In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.

340 Responses to “Antivirus companies cause a big headache to small developers.”

  1. O Says:

    I suspect, that many FP's are deliberately generated false positives and AV companies are using some kind of secret blacklist against "trouble causing" legit software.

  2. Steve Says:

    We feel your pain, we went to great expense and jumped through a lot of hoops to get a code signing certificate for our application. We went through a lot of background checks, we even had to get a letter of attestation from an attorney. and still get flagged. Occasionally we go through a period without errors but we are back at square one when we push an update.

    I understand the need for caution by the browser and AV companies but I really think that if you have a valid code signing certificate they should leave our applications alone. If the background checks need to be more stringent then make them more stringent but there needs to be a fair way in the marketplace for smaller companies to innovate.

  3. Tasos Says:

    If I may add my own case, I had a big problem with Avast antivirus.
    I write some programs in Assembly language, ranging from small utilities to full applications. During development I use batch files to assemble, link and test-run the programs. The assembly-link time is between 2 to 5 seconds. When I used Avast, running a program I got a popup saying that the program is scanned and run in a sandbox, taking some 20 to 30 seconds to complete. As you understand, waiting this to complete, many times I was forgetting what I was looking for. So, my solution was to stop using Avast and avoid suggesting it to others. After all, I don't like been characterized a potential malware writer.

  4. Ricardo Says:

    This situation is crazy.....

    The Antivirus companies are destroying people's livelihood... But, they could care less....

    To me, it is like standing outside a restaurant and telling everyone who enters, "You may get sick from eating the food here." The owners would probably attempt to have you physically removed. After a few days, they'd probably file a lawsuit against you.

    The thing is... This is beyond my control.... I cannot change it.... It is what it is...

    The only thing that makes sense is to create web applications where this is not a constant battle.

  5. rana Says:

    all av s are not to be blamed but most of wildly used like avast are totally stupid in compare real virus or harmless software

  6. Stanley Says:

    I am just beyond frustrated with antivirus companies continuing to mark my program as malicious without properly scanning it through. I am a small developer and my revenue is on the line with the increase in false positive detections from companies like Symatec and AVG.

    I have contacted many different AV vendors in the past and submitting my programs multiple times with no results. The issue may disappear for a short while, but will end up coming back in the end. Now even Window's smartscreen filter is marking my app as malicious. I've never had a problem with any of the companies until recently when they started flagging my software. It has gotten so bad to the point where Chrome blocked all downloads of my program and my website completely and lost total trust in my users. After a month of repeatedly contacting Google for an appeal, the block on my website was finally lifted, but the damage was done. Even people have started spreading the false notion that my software is actually used to exploit systems.

    I've just about had it with the AVs and the whole extra protection BS that these companies offer. At this point, it is either work on popular software or don't program at all. Programming is my passion and I didn't work on my project for 4 and a half years ALONE just to be labeled as a malware vendor. I've had enough of this. Sorry for the rant, but this is really affecting my life.

  7. Dr Santhosh Says:

    I am an independent Andriid App developer with a number of free apps on Android, you would not believe my surprise when one of my free apps was Tagged by Avast AV as "suspicious". I wrote to them offering my source code for analysis provided they maintained confidentiality.
    I am yet to hear from them, these conceited corporations just want to wipe out individual developers, as they cannot stand someone offering a free or open source app when they are being paid hefty money for same, that is the crux of the issue here......

  8. Joep van Steen Says:

    Oh yes, it's sooooo frustrating. I'm so mad! Just now DiskTuna got flagged by one in VirusTotal. After I just spent a day getting Google to understand I don't spread malware. Google: but it's a file that is uncommon. Yeah duh, I just finished it.

    https://www.hybrid-analysis.com also nice. All my software is malware according to them. Because they found a URL embedded. Because the software tried to get the OS version. Because the software evaluates if there's admin rights or not. All perfectly legitimate for a disk defragger. I need admin rights. I need to know the OS.

    I'm so SICK of it. If I had the money I'd sue them till they're broke.

  9. Matt Says:

    This is so annoying - I'm trying to use the IE Password util to export and import user passwords when upgrading their computer(a lot of them don't recall their passwords for stuff) but I can't even download it because of my work's antivirus ๐Ÿ™

  10. Kevin Says:

    Article is still true today as when it was written. Super frustrating. I just wrote a tool to repair database corruption remotely and Norton tries to remove it every time I run it.

    Good to know that I am not alone.

  11. Muhammad Saqib Says:

    We all developers should unite and teach antivirus companies a lesson. We should build a platform where all developers can communicate each other and can take legal or illegal action (such as harm their sell too) against these companies. You can see, 7 year has passed and developers still facing troubles for their clean software. We struggle months day and night we don't take holidays while developing our software and they took a minute to mark our struggle as Trojan. Who give them right to judge the developers of entire world.

  12. Tom Says:

    My software continuously gets stopped by avast and mcafee. A real pain.

  13. Ralph Says:

    I too suffer from constant FALSE POSITIVES around the Nirsoft products. It is unacceptable that these AV companies, Microsoft SCCM being the problem for me, will not fix these problems. Someone needs to contact the US attorney general and demand that they sue them for defamation of character and publishing false information about their products. Should be an easy win. There is a ton of evidence, 7 years worth in these comments alone to provide prof positive that they are nefariously defaming your reputation and that of NirSoft for continuing to falsely accuse developers like NirSoft of putting out evil viruses when in fact they do not. Anyone out there know any good lawyers, maybe a class action suit on the AV companies, starting with Microsoft, A US company. Any suit on them will get noticed and will get air/print time in the media. It should also earn a lot of money for the Lawyer with the guts and courage to go after them.

  14. Harry Powell Says:

    I have receive reports that the install executive of EditCNC is flagged and deleted by Gateway antivirus. This is done even though the file has a Symantec digital certificate!
    I think (hope) Gateway is the only one that does this.
    Is there a way to contact Gateway and have a file white listed?

    Harry

  15. mark Says:

    This has become a major productivity problem with large companies. It is almost impossible to "whitelist" custom software that is legit purchased from major software vendors. Dont know what you do. lots of bad guys out there.

  16. Tony Says:

    Our estimating software, Seljax, is sometimes detected as a virus and/or it's communication is blocked. This creates a lot more work for our support team. Avast seems to be the worst.

  17. Josh Says:

    We deal with this all the time (and are dealing with it now with the idiots from Lookout). The only solution for the AV companies that refuse to act is to get an attorney involved. I had our attorney send a letter directly to lead counsel for avast and we were quite literally whitelisted in hours. The thing is, when you contact these companies, you get directed to tech support, who really have no clue about the legalities and repercussions of their actions. These company's attorneys fully understand you can sue the living crap out of them.

    However I do agree with another commenter here, that we should create a fund/group to seriously go after a few of these companies in court, perhaps via a class action suit. Setup a GofundMe page. There's likely enough cases of defamation & libel to sink companies like Avast & Lookout.

  18. Andon M. Coleman Says:

    What's downright despicable about anti-virus software is when it quarantines something that you just compiled. The output of cl.exe should be exempt from this stuff.

    It'd be nice if the anti-virus package warned you that it's going to report to all its users that the software you just compiled will trigger a false positive, but it's awful when you go to debug your program and it's gone.

    As a developer, you really cannot use anti-virus software, it will make your life a living hell. I have done simple memory optimizations in the past that triggered bells in 10 anti-virus software packages. Needless to say, to keep my end-users happy I have to avoid said memory optimizations and release an inferior product. This is ludicrous and I wish anti-virus would go away.

  19. Sylvester Norrbjoerk Says:

    I work for an IT-support company with hundreds of clients. Nirsoft tools have helped us out countless times for which we are immensely grateful. Luckily it's always my colleagues and I that use the tools so we know to disable the auto-delete/auto-quarantine functions and/or disable the anti-virus and/or add exceptions to it, but it is annoying, especially when you are in a hurry and still have to perform a task on dozens of computers.

    I'm still trying to find an anti-virus that protects without false positives and that is lightweight; I am probably asking for too much. I also get it that the anti-virus companies also have a hard time figuring out what is a threat with numerous new threats appearing each day, but marking tools used by thousands of professionals regularly for years, as a virus is just plain wrong.

  20. Digitalconnectmag Says:

    I am yet to hear from them, these conceited corporations just want to wipe out individual developers, as they cannot stand someone offering a free or open source app when they are being paid hefty money for same, that is the crux of the issue here......

  21. DubbaThony Says:

    I have that annoying problem aswell. annoyingly I use ton of software that is "riskware" in AV-language, when in real language its "legit software"

    oh, I made quite a few programs too. my first issue was the AV removing .exe file. just after compilation. I have an question. What the legit fudge is that supposed to mean?! You not only will false-positive all of my exec's even if compiled on same damn machine, decerase my reputation, but you will also try to prevent me from coding at all?
    are those jerks insane?
    I dont mind some security. But I mind, oh I really mind false-positive sea while looking for that droplet in the sea of actual danger.

    afterall I ended up using Spy bot +AV as it dont throw false-positives at my face on constant basis.

  22. Fred Says:

    I'm a developer myself and I get so sick of these false positive alerts. It doesn't seem fair, write a code and put it in the proper directory so it's automated and five seconds later it's gone. So what to do? Delete your antivirus and wind up with no protection? Doesn't seem like a good idea, but you don't exactly get very many options either. You could go to a smaller one like what DubbaThony did, but then are you really as well protected? Probably not. Antiviral companies such as Avira need to begin making their products more convenient or people/developers are going to start looking elsewhere. And who knows, maybe we'll wind up with even better freeware based antivirus programs.

  23. Gail Tichy Says:

    I am so angry about this issue. I just bought a new desktop that came with pre-installed "Mcafee" anti-virus software. I use myPCBackup to backup my files. I installed the backup application on the new computer, but it failed to execute because Mcafee flagged it as having "Artemis!" virus in the code. My only alternative to get my backups is to turn off Mcafee while I am downloading the backups and then run a full scan afterwards. I wish there was a governing body with oversight on these companies.

  24. Mark Says:

    Still unable to download Nirsoft tools with the latest Firefox (49.0.2), and had to download with Chrome instead which worked. MD5 hash checked out OK.
    Have had to put ignore exceptions into my anti-virus programs (Kaspersky paid for and AVG free).
    Kaspersky continues to bitch about it, but I haven't tried AVG again for a year. I just let the exceptions handle it.

  25. DigitalEdge Says:

    You can also make a utility that checks programs' checksum and verifies it to a database. If it will become professional enough to not allow malware writers to pass the test it would become a priority for AVs to make sure they don't FP your database entries.

  26. Rob Says:

    I'm a developer who also suffers from false positives. The worst offenders are Norton, Avira and Avast.

    The way I fight back is by sending an email to my customer urging them to get rid of the A/V program. I include this link which shows how useless they are anyway (this was sent to me in a Microsoft Azure newsletter):
    https://youtu.be/PvfrS6_nyyM?t=77

    I explain how these A/V programs are a waste of money and all you need is the free Microsoft security already included in Windows.

    It's working. I have pursuaded over 20 customers now to toss their A/V programs, mostly Norton.

  27. Stรฉphan Says:

    Ahh I have this problem too with my last version of Reqchecker. If have false positive "HEUR/APC (Cloud)" with Avast and Antivir, and I imagine more. I will try to buy a certificate and sign my exe, but it does not ensure that the problem will be solved. ๐Ÿ™ ๐Ÿ™

  28. OptometristPrime Says:

    This is a huge problem with pretty much all anti-virus & anti-malware companies & they should be ashamed of themselves. Almost as much as they should be ashamed of the fact they lie to users about what should only be considered P.U.P, calling them trojans, or malware & filing them under trojan names for real trojans. This is unacceptable & the main reason I wont use any anti-virus other than ESET. I have never had ESET lie to me about what a file actually is. It clearly states exactly what the file is & that it is potentially PUP, and then I can make my own decision based on that because it tells me the exact name of what I'm trying to use. For instance, a password tool would come up as PUP & would be called "Password Tool" or something, in their descriptive names.
    For this reason, I love ESET & for once in my life, actually trust my anti-virus isn't full of shit or lying to me because of pressure/incentives from anti-piracy groups or their own greed/laziness/lack of caring.

    It's a real shame this happens to small developers especially, because it really hurts you guys the most. It also hurts users though, because then you can no longer rely on your anti-virus, so what's the point, if you constantly ignore the alerts then? These practices should really be regulated somehow & someone needs to put pressure on the companies to stop LYING.

  29. Keith Says:

    I agree with this issue completely. I have been offering a program for the last 10+ years and each year it gets more difficult for users to load due to virus program saying it is a possible virus. I once tried to get a company to put it on the safe list but it was basically a good luck buddy response. Like trying to get an audience with the pope or trying to get an answer from the federal government. I am 100% convinced people are not downloading the program due to these messages and rightfully so. However it is costing myself some sales as well as them a quality and affordable tool.

  30. Mike Says:

    Ditto to what Keith just said!

  31. Bob Says:

    I'm having a massive headache with this issue right now.

    I've spent a couple years developing a popular game mod, and I'm forced to encrypt my application because of rippoff coders had previously stole some of my work. My application has zero malicious code.

    Scanning the unencrypted application on virustotal I get 1 false positive.
    Scanning the encrypted application on virustotal gives me 20 false positives.

    This is example of how many AV's are just tagging patterns produced by the encryption software. one group of
    about 5 vendors seem to be using the same signature pattern, because they use the same label to identify the false positive.

    Some AV's will not remove false positives and pretty much ignore requests to do so. I never realized the Anti Virus industry had so many snobs.

  32. Skipjack Says:

    Nir, you must be doing something right, because I just installed PassView and it got by Kaspersky. The Kaspersky screen that came up says "Password Management Software Detected". Then it says it's not a virus and gives the file path. It gives three choices, DELETE, SKIP and ADD TO EXCLUSIONS. I clicked exclusion and the installer came right up. I haven't run it yet, because I can't reboot right now, but I can't imagine it wouldn't work fine. Maybe Kaspersky is in a snit 'cause I'm not using their password manager? Anyway, thanks a LOT for all you do. All the best

  33. Ken Schafer Says:

    I think it's about time for a class action lawsuit and I'm ready to sign on.

    Our software won an Emmy(r); we've been digitally signing it for literally the past ten years, virusTotal reports it 100% clean but our most recent release has been just hammered by false positives. Karpersky quietly deletes files causing access violations without giving the user any indication that it's done anything... making our software look like crap when it's really THEIRS that is.

    We're going to have to put a whole page on our website with links to the VirusTotal reports and I know there will still be people not willing to trust it.

    Apparently our support department has to calm about a user a week who calls in... and god knows how many are just not calling but also not buying...

    Personally I think we should sue for slander. They are willfully refusing to accept our hard data that what we are producing is legitimate, and they are damaging our reputations and livelihoods in the process.

  34. boycott_AV Says:

    We can boycott the AV companies. Let's vote for most suborn AV product and put a link in our programs to this poll. We educate our customers this way.

  35. boycott_AV Says:

    like this:
    https://docs.google.com/forms/d/1H3_O1z1iEqfh9ZT9u3B0R1tGEj-Hc9o7rAE0LKPr33Y/edit

  36. Ali H Says:

    I have just had the same problem. BitDefender doesn't like WM_COPYDATA, which I kind of suspected would be the case. But it doesn't like CreateNamedPipe() either. So multi-process apps are out of the question for mere mortals? This feels suspect.

  37. Andrew G. Knackstedt Says:

    I've got the same problem. I have special function key code with most of my programs, the code which runs in the background. Some anti-virus programs show a false-positive on my program since it uses keylogging to access the function keys. I can understand this, but on the operating system and runtime i am using i cannot use any other method effectively. Yay for me. -> Windows Defender quarantining random builds of my program where the logging code has absolutely no changes -> i have to whitelist the item each time it detects the trojan.

  38. Oladele Olanrewaju Says:

    I developed and deployed a management decision optimizing application on the website recently. But I'm experiencing similar problem of false-positive alert by some antivirus against my application online installer setup, preventing users from installing the app. Efforts to stop this even with certificate signing could not stop these antivirus false alert. Now I'm going through the stress of educating potential users about how safe and free of malicious code, the application is.

  39. nikos Says:

    handy list for mass reporting false positives
    http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm

  40. Craig Says:

    Maybe it's time to get a class action going. I compiled a "Hello World" program and then used one of the free
    online file scanning tools and got a couple hits.

Leave a Reply