Antivirus companies cause a big headache to small developers.

Antivirus is essential tool that most people need to protect their Windows operating system from Viruses, Trojans, and other bad stuff.

Unfortunately, most Antivirus companies goes too far with their Virus/Trojan protection, and in many times they classify completely legit software as Virus/Trojan infection.
One good example for that is my own password recovery tools: Most people need these tools to recover their own lost password. These password tools, like many other utilities out there, can also be used by hackers for bad purposes.
The attitude of many Antivirus companies is very tough in this subject –
If it’s a tool that can be used by bad guys, it’s classified as Trojan or Virus, even when most users need it and use it for good purposes. Antivirus companies don’t care that they block their own customers that want to recover their own passwords, and they don’t care that they may cause their customer to think that I’m a Virus distributer.
I must say that some Antivirus companies are a little more gentle, and classify these tools as “Security Threat” or “Riskware” which is much better than classifying them as Virus or Trojan, but they still prevent the user from running them – by deleting them or by putting them in quarantine.
Also, many users don’t know what is difference between Virus and Riskware, and when they get these “Riskware” alerts, they still think that my tools are infected with a Virus named “Riskware”.

My password-recovery utilities are not the only victims of the “over protection” made by Antivirus software. Some other tools, like ProduKey, RegScanner, WebVideoCap, NirCmd, and others that don’t recover any password, are still constantly targeted by Antivirus companies, without any known reason.

Other developers also have “False Positive” problems

Other small developers also constantly experience false alerts made by Antivirus software, here some examples:

What about large companies like Microsoft ?

Large companies usually don’t have any false positives problems, and even if there is a single case of false alert, the antivirus company will probably fix it very soon. After all, antivirus companies know that Large companies have good lawyers and if they won’t fix the problem, they may find themselves in a large lawsuit for libel.
One good example is SysInternals. In the past, their psexec.exe tool that can be used to execute code on remote machine, was detected as Virus by some Antivirus programs, but today, when SysInternals is a part of Microsoft, All Antiviruses show it’s clean, as
you can see from this VirusTotal report.

Examples for emails I receive on daily basis

Here’s some examples of messages regarding the virus alerts, that I get to my inbox on daily basis:

  • “Your mspass.exe is infected with Virus”
    “You have Trojan horse in your Mail PassView utility”
    “your ProduKey is a Trojan, be ashamed !”

    These messages are sent by users that really think that my tools are infected. I cannot blame them for thinking that, because the Antivirus really tell them that there is an infection.
    Most Antivirus programs don’t explain the user that the alert is displayed only because it’s a legitimated tool that might be used by hackers.
    They simply tells the user that the tool is infected with Virus or trojan, even it’s not really the truth.

  • “I try to run your program and it says that I don’t have permission”
    “I try to run your program, and I get the following message: ‘Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item'”
    “I try to run your program, and nothing happen”
    “Each time that I download your program and extract the files, the .exe file disappears”

    These messages are sent by users who think that there is a bug or problem with my utility, without knowing that this problem is actually caused by their Antivirus.
    In some circumstances, the Antivirus software runs in the background, and when it detect a threat, it simply block the .exe file, put the file in quarantine, or simply delete it, without telling the user anything.
    The frustrated user think that there is a problem in the software he tries to run, without knowing that the Antivirus software, that should protect his computer, is actually the troublemaker that causes this problem.

  • “When I try to get into utilities section of your site, I get ‘the page cannot be displayed’ error”
    “You have a broken link in your site – When I try to download your ProduKey tool, I get ‘the page cannot be displayed’ error”

    These messages are sent by users who think that there is a problem in my Web site, because they cannot browse into a Web page in my site or download a utility from my site. But once again, this problem is caused by Antivirus or Firewall that decided to block my Web site without explaining the user about the site blocking.

    Zonealarm products, as opposed to others, redirects the user into a Web page which says that “nirsoft.net has been known to distribute spyware“, which is completely untrue.

    This web page also offers to report about false detection to False_Positive@checkpoint.com. I really tried to do so, but I received the following error message from their email server:
    —– The following addresses had permanent fatal errors —–

    (reason: 550 5.1.1 … User unknown)

    As you can see, Zonealarm provides an email to report about false positives, but it’s a fake email address that nobody really reads.

Needless to say – all these virus-related email messages that I receive every day are a big headache and require me to waste my time on answering/handling them,
instead of adding new features to my utilities and updating my site.

Why don’t you contact the Antivirus companies ?

Some people ask me, “Why don’t you simply contact the Antivirus companies to resolve the false alerts issues ?”
So here’s some important points:

  1. There are dozens of Antivirus companies out there, and with combination of more than 100 utilities in my site, false alerts appears and disappears all the time. Handling all these false alerts may require an employee with full-time job, even more than that.

  2. If you look into the Web sites of some Antivirus companies, you’ll easily find a large “Buy Now” button, but you probably won’t find any “Report About False Positive” link. Antivirus companies always want to make more sells, but they don’t really care about false positives in their products. They usually hide the option to report about false alert very deep in their Web site, and some of them gives “False Positive” support only for users that purchased their product.

  3. Even when I find the method to report about a false alert, deeply in their Web site, most of the companies don’t answer the requests at all or simply send an automatic message, saying that the sample that I sent is infected. In some cases, The Antivirus company fix the false alert problem in their next update, but without admitting that they had a false positive, and without sending any apology to me, as a developer.
  4. False Positives usually come back: Even when Antivirus company finally fix a false positive, it’s just a matter of time, until the false positive returns again, with a new Virus/Trojan name.


Help me and other developers !

If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.

What can you do ?
Here’s some examples:

  1. Add your comments to this article about False Positives problems you experience (As user or as software developer)
  2. Send this post to your friends, so they’ll know more about false positive problems.
  3. If you constantly pay for licenses and updates for your Antivirus software,
    don’t hesitate to call your Antivirus company and require them to stop the false alerts.
    You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses.
  4. If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
    Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.

In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.

448 Comments

  1. Mr says:

    I constantly experienced this problem of false positives. It’s really crazy…

    Even the “Kaspersky removal tool” is detected as a trojan by Mcafee. Lots of programs I need to monitor computer activity, or cleen malwarse are detected as trojan and it’s really difficult to use them. And of course some of the Nirsoft programs that are my favorites.

    But what can we do ? For me it’s a further divide between two opposites conceptions of computering.

  2. Rarst says:

    My scripts in AutoIt (AutoHotkey is spinoff of it) get false positives all the time. 🙁 I understand that this is terrrible issue for developers with large portfolio of utilities.

    Still as user – if specific malicious code is similar in legitimate app and malware I’d prefer it detected rather than not detected.

    Overall it is one of those issues that don’t have clear and easy solution. Antivirus developers are unlikely to cooperate on global scale and dealing with them case by case is impossible.

    I hope you will (if not already) find convenient method of dealing with false positives feedback and it is not too much of discouragement.

  3. The MAZZTer says:

    I agree this is a pain, whenever I plug in my thumb drive into another computer I find Norton happily deleting files from it for me. So now I tend to disable any AV before plugging it in (a lot easier).

  4. Nick says:

    I also develop a little in VB6 on the rare occasion, once trying to write an update component into some custom software I wrote for a company I used to work for.

    Unfortunately no matter how I tried, I couldn’t find a way to code it without having it detected as trojan/downloader by at least Symantec. Even “excluding” the file in the software didn’t work _for long_ and I was never able to find a way to report the issue to Symantec. Out of curiosity I checked and the file was also “infected” by McAfee or some other program they had at the time.

    Was it the code itself, or that it was hard-coded for my domain, I dunno.

    Surely the manpower for an anti-virus company doesn’t allow to check all software. Maybe they come up with a few things to look for, like however my update code looks to their detection engine, then blanket this as a downloader trojan for all files scanned, and EXCLUDE the big software vendor’s apps that could match this criteria.

    Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.
    And you are right, they justify this on the technicality that the software *could* be used maliciously.

    But it doesn’t mean they need to be so deceitful about the detection.

    Also, the absolute worst part about a false positive, is that it trains the half-way competent user or even a computer tech to always disable the anti-virus when something like your password utility is being used…

    …so what if that utility was infected by a real threat? Perhaps a computer tech who is retrieving a product key or password had something infect all the .exe’s on the flash drive being used, what then?

  5. Rarst says:

    >Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.

    Nope, high percentage of false positives is sign of low quality. All popular antivirus tests check that and count into their rankings (not that those are absolute and objective).

    It's not intentional, just the way things work when it is hard to tell apart malicious code from legit.

  6. rjl says:

    THANK YOU for posting this. I hope something is done about this. The "little" guys always get the shaft. We write "entertainment" software that is flagged as viruses by all of the major players. We've added FAQ topics, Discussion Forum posts and readme's to explain that our software is NOT a virus. In the end its killing our business, as users dont understand the different between Annoyware or Fun/Joke program vs. Viruses. We have contacted McAfee and Norton – but no luck. Here are some topics we've added (will provide a link back to this blog)

    http://www.rjlsoftware.com/support/faq/sa.cfm?q=209&n=61

    http://www.rjlsoftware.com/support/faq/sa.cfm?q=21&n=68

  7. MK in SF 666 says:

    The anti-virus system I use provides an email address to its registered users for reporting false positives.

    I’m happy to report that *every* time I’ve submitted a file or URL to a download, I’ve received a response within eight hours that stated, “Thank you–we have investigated and determined this is a false positive, and it will be corrected in the next set of virus definitions.”

  8. funy says:

    This used to drive me mad when i used to ask a client on the phone to install a remote connection application like teamviewer or aamy admin and it would get thrown straight into quarantine, which then required me to talk them through authorising it which with some clients who were not at all IT literate was a pain. Also had a few problems with F/P’s with some of your tools but it would appear that Sophos (which i work with most) doesnt pick them up.

  9. Jim says:

    Well it has to be said, that if the users are so stupid that they cannot tell the difference between a legitimate program and a virus, then perhaps they shouldn’t be using them.

    I myself have really appreciated the software that you have put together and use it a lot. It helps me to irons out problems in networks and on hard drives.

    Another issue is the general issue of the proliferation of antiviral programs. Perhaps the crappy ones need to be boycotted a little more with a good amount of blogging.

    In the end, nothing beats good old fashion common sense and a bit of education.

    Keep up the good work and invets in a mail filtering programme with a generic reply.

    Another developer with similar issues…

  10. Bunkerman says:

    Avira Antivir 2009:
    ‘SPR/Tool.KeyView’ [riskware].

  11. rabbit says:

    "My scripts in AutoIt (AutoHotkey is spinoff of it) get false positives all the time. 🙁 I understand that this is terrrible issue for developers with large portfolio of utilities."

    The same thing happens to me… I think Jon (AutoIt Developer) said that the main autoit interpreter was classified as a virus, so almost any script made with AutoIt will also be classified as one, as it includes it.

    He is trying to work with the security software providers to sort out how to detect autoit programs as viruses, so hopefully…

  12. alexsupra says:

    hi. i'm service engineer and founder of usetools.net project about free software.
    experiments and test based on real practical usage show that antivirus software applications become more and more useless, consume the great amount of pc hardware resources (sometimes users cant use their workstation beacause of single program with service purpose – "antivirus"), often damage users or system software ("false positives") and even can destroy system completly without any reason.
    so lets determine what are the main features of virus-like (trash, harmful, dangerous, etc.) software:
    1. consuming more or less system resources like memory and cpu for running them self without any possible users control;
    2. creating a lot of startup items represented by executables in system registry run-sections or creating one or much more services;
    3. allways updating, downloading something and uploading some data about local system thus sometimes consuming a lot of internet traffic;
    4. show various information like annying commercial advertisments;
    5. providing remote access to users workstation.
    so, mentioned above is about viruses and… the first of all and largly about commercial antiviruses that use these methodes for getting more and more profit without real thinking about end-users or software developers.
    besides that computers and networking service job experience shows that in most cases when real viruses presents in system antivirus programs can do nothing. no detection or no real helpful action in case of detection. thus popular commercial antiviruses are absolutly useless in most cases and even dangerous in some cases.
    the most evil commercial products according to service engineering experience are: avg, nod32, avp (kaspersky), threatfire.
    the most trully useful and really powerful solution is clamav scanner cause it never lies (cause that is free and open source software) and nowadays has great virus detection level.
    it has now "monitor" but that is advantage cause when antivirus monitor works that mean antivirus monitor works on your pc but not you. to control system in real time security task manager can be used like anvir (freeware). for networking security real network firewall can be used like ghostwall (freeware). all that tools must be preconfigured and used all together as one security solution that virus problem can be solved without bying other super-viruses that have the single aim to get your money and thats all.
    thank you nir, for your the greatest free software tools.
    the are often used in our free software project cause they are extremly useful!
    have a nice day!

  13. kc5kdw says:

    I work as an IT Tech Support rep at a software company. Our software uses Microsoft SQL Server as its database. Over the past year Mcafee has been a horrible problem for us. It seems they block the SQL server right out of the box. You have to buy their higher corporate version in order to not have it happen. Our clients are constantly getting an invalid database connection, because the DB is blocked. What makes it unsafe. It requires the use of two ports to communicate. Firewalls and spyware companies seem to have taken over the computers. They slow them down, and often don't catch half of what is actually spyware and viruses. It's sad, but I find it easier and safer to run without all that junk running all the time. I have found other ways to be preventative.

  14. ncdave4life says:

    Which AV companies are best/worst in this respect?

    I assume that McAfee and Norton/Symantec are terrible. But what about the rest: Grisoft AVG, Avast!, AntiVir, BitDefender, Kaspersky, etc.? Are any of them reasonably responsive to false-positive reports?

    I have some AV recommendations on my web site, and I'd like to add this info to it:
    http://www.geeksalive.com/links.html

    Thanks,

    Dave Burton
    Geeks Alive! Computer Rescue
    Burton Systems Software
    Cary, NC USA
    http://www.burtonsys.com/email/

    —–

    Hey, Nir, do you know that your blogger comment-posting system is broken?

    I tried six web browsers. Only one of them works.

    In Firefox 3.0.5, Safari 3.2.3, Chrome 2.0.172.37, and IE 8 under XP Pro, after I select my TypePad ID, your page brings up a Preview and Word verification box, but there's no place to enter the verification word, and, in fact, the picture of the word is clipped off at the bottom.

    In IE 8, there's the added annoyance that the scroll bar doesn't work in the preview box.

    The Off-By-One browser doesn't work, either.

    (Also, in some of the browsers, the Preview button does not work; it produces an error message, "Your request could not be processed. Please try again.")

    I posted this using Opera 9.52, under which the mouse wheel scrolls the box to expose the place to enter the verification word and the "Post Comment" button. Opera seems to be the ONLY browser that works to post a comment here!

    Dave

  15. PeterPC says:

    This is so annoying – I try to help out reinstalling some guy’s PC.. getting the keys out of the old and more or less crapped windows installation – and almost before I start produKey I’m told that this MUST be a generic virus trojan or whatever – this time it was McAffe
    Could we make a petition list or somethin ? – would that help ?

    Peter

  16. edwin says:

    this is really pissing me off. I have to disable the antivirus prog to regain the lost e-mail password of a friend. Had this with f-secure and trendmicro.

  17. packmule says:

    Great program. So little, so easy, so fast and still so effective.
    You need such program once a year or less, so put your virus defender software on
    off state (disable it) and read your key. next boot its on again. and everything is fine.

  18. dbur says:

    I’ve been using a simple a time sync prog for about 15 years (AtomicClockSync). Just a couple months ago Trend Micro started calling it a trojan or virus or something (Can’t remember exactly which right now). I’ve also been using Trend for many years without ever seeing this before.

    I reported this to Trend and their ultimate response was ‘Stop using this program. It is not compatible with Trend Internet Protection’

    I ended up just adding it to the exceptions list.

    I can see why this is unfair to the small SW developers. It seems they should band together for some class action lawsuit that gets them more attention from the AV companies.

  19. Pete says:

    How about lobbying the anti-virus/malware testing organisations to include false positives as a negative in their testing? Perhaps some already do this, but when I looked at the latest test from Malware Research Group they seemed to rate the tested programs only according to how many true malware programs were detected (i.e. true positives).

    I’m sure if some of these anti-virus programs started dropping in the ratings, or their favourable reviews became less favourable because of high rates of false positives, they’d quickly begin to work harder on remedying the problem.

    After all, if an anti-virus developer wants a perfect score in one of these review tests, it would be simple to achieve: just block EVERYTHING. Makes no sense, but would get a great test score.

  20. Richard says:

    Nir! Great programs but yes, the false positive problem is an issue. I only have AV problems with your software when you use UPX for executable compression. Any chance of releasing executables that haven’t been compressed?

  21. Karlis says:

    Our product iNet Protector is constantly detected as malware. We communicate with anti-virus vendors every month, but false alarms come back. Today this is harming our business to a very significant extent.

  22. megablue says:

    I faced the exact problem, my legit program has been classified as trojan/virus… those antivirus companies really goes too far.

  23. Concino says:

    I think I’d select two major players in the market: Symantec and McAffee, and call their P/R department instead of sending your exe and asking them to remove the false positive.

    We’ve had a similar problem in the past and all of a sudden one of our utility executables detected as Malware by Symantec, after week of communication, the problem was fixed permanently. When you use their web site, you’ll always find people that they cannot make decisions, but once you involve their legal, security or PR departments, you’ll get to the right people to deal with the situation on hand.

  24. Code6226 says:

    Yes, I’ve had the same problem with Avast. They reported a part of my software, Puchisoft Dispacher, as a virus. To report the virus, you have to actually install their software (You can’t just email them). So I did, and I used the software to report the virus, and they just ignored me.

    I ended up having to change the code to do the exact same thing, but differently, which Avast didn’t think was questionable, even though I was doing the exact same thing! Sigh… This is why I don’t use Avast anymore.

  25. Max B. says:

    I’m a sysadmin, I deal with users forgetting their passwords and me needing to get access “somehow” to a remote machine… Your tools, sysinternals and a few dozen other are MUST HAVE TOOLS ! (they should be packaged with windows!, it’s THAT essensial!)

    I did face the false alarms, I did face the deleted executables .. (we switched to Symantec’s endpoint protection)
    I’m faced with our proxy protection (websense)…

    When are people going to understand, we are there to help… and yet we are seen as the bad guys from people who don’t know, or don’t have the needs we have …

    I will pray for AV companies to bann the “hacking tools” section of their products!

    (if you install metasploit, I mean, you know what your’re doing … it’s not like you don’t know what you get into…)
    AV should consider that fact…

    or well.. . … if your’re unhappy use linux… but by doing so , you wont help other users in need of “respect” with their own online behavior !

    Thanks for reading and thats for that bell ringer of an article!

  26. Tomas says:

    I use USB stick with integrated read-only switch, that prevents Nirsoft utilities from being deleted by any antivirus, when I plug it into foreign PC.

  27. Greatful Fan from the Baltic rim says:

    I’ve been using your utilities for some 8 years, I guess (not absolutely sure), and I’d like to say THANK YOU.
    I have several times sent messages to some companies that produced anti-virus and security software (like Zone Alarm) in order to explain that NirSoft products should not be blocked. The problem is that I get no response and I cannot know if they care a straw for such letters.
    I think these companies are too big to be scrupulous about small developers and small clients. The smaller companies or those that are based on a different approach would be more careful. For example, I remember some time ago Spybot-S&D included Nirsoft in its black list but then the list was corrected. Unfortunately, it is difficult to imagine companies that produce effective anti-virus software (which means a global task) to “waste their time” for the benefit of a relatively small group of individuals.
    I must just note with regret that even Nod32, which used to be much more fair to NirSoft, now has it blacklisted, too. If you use the highest level of protection with Nod32, then you cannot download Nirsoft programs. In some cases, they get deleted automatically.
    So what should I do to correct this problem? Organize the petition or what?..

  28. Sven says:

    I found an interessting Test on Antivirus and “False-Positives (FP)”.
    At

    http://www.av-comparatives.org/comparativesreviews/main-tests

    you can view the test as a PDF. The last one is from August 2009.

    At page 10 you ´ll find out that McAfee, Norman and Kingsoft detected over 40 FP while Bitdefender, Avast and MS detected 4 and 5 FP only.

  29. Kimmo says:

    Just today I tried to download NirLauncher and the zip file is intercepted by Trend Micro during download and I cannot download it. Being a technical at testing lab this quite annoying that I cannot use some tools necessary for work. Thankfully corporate security allows expections to uninstall or reconfigure Trend Micro when it’s interfering with work.Overall Trend Micro is not bad but it’s really slow and resource hungry. Symantec was better.

    Good thing is that all AutoIt apps I create, to date, work with Trend Micro.

    F-Secure also gets lot of FP’s.

  30. Terry Bennett says:

    I have switched Internet security software from BitDefender to G Data and though I really do prefer G Data it still has the same problem with issuing false positives. I am trying to find a contact I can get in touch with to report the problem to. NirSoft has so many great utilities it’s sad to see this situation crop up again.

  31. Eduuu says:

    Antivirus softwares just exist to leave your system slower. the detection technique they use is “dumb” because they compare codes with a database that is constantly being updated. if you code a decent private cryptor, all “viruses” will be undetected to these boring softwares. Also notice that due to this behaviour, if your program has some piece of code in which another application known to really be a malware then it will end up being detected as well.

    I dont use these softwares except for testing and vulnerabilities research. My advice is NEVER trust them. If people used a restricted user account on Windows, let the system and applications always up to date and specially, didnt open any kind of files they receive like pictures.exe (very well known social engeneering used by malware) which surely is something malicious then they wouldnt need an Antivirus since 99.9999% of the infections are the user´s fault and not a critical remote vulnerability that was exploited by a recently coded worm/virus .

  32. gio says:

    all my antivirus software and registry cleaner have been flagged by norton and main anrtivirus as virus! this is ridicolous! thanks for this article, it’s 100% true!

  33. Sathya Ramanna says:

    I got false alert by McAfee about iepv.exe saying Detected As “Artemis!28C110B8D0AD”, Detection Type “potentially Unwanted Program”. It did not clean or block the utility from running. This blog helped clarify
    the AV alert could be ignored.

  34. Iris says:

    Well, i use Antivir (Avira)… and it suddenly started “spotting” SysInternals psexec.exe as a virus … There´s a note on this from an user inside their OWN forum!

    When i get a “virus warning” i usually google it first, to see if its a FP. But it´s BORING having to do this 1,2,3,100 times…

    BTW, a fine way to “appear” on google and alert users like me is to post in the AV software forums.

    Of course your Password recovery tool was branded as a “trojan” … one more for the exception list.

  35. Juan says:

    Make your applications Open Source, so even if the antivirus panics, the user can still see the source code and confirm that there’s nothing harmful in it.

    Not providing the source code of a free (gratis) software is suspicious.

  36. PJ says:

    First…thank you for all these great little programs. I really learn a lot by using them. Since they are free, I get the chance to see things and learn from them that I couldn’t do if I had to purchase some of the larger and very expensive programs out there that do the same things.

    I ran DNS Data View this morning and Norton Internet Security 2010 flagged it as a dangerous program, but gave me the option to allow it (which I did of course). They also provide a way to pass along through the program to all other users whether something seemed safe after using it. Of course, that is all based on opinion, but I am happy to pass mine along about NirSoft products to try and help.

    Oh, and Juan….if you need to see inside the code, there are a couple of neat programs to do that too. I can only think of one right now (the others are on my other machine). I will post back later with other names. The one I am using rightnow is Resource Tuner (restuner.com). Trial version available.

    Cheers!

  37. analyser says:

    @Juan
    AV companies doesn’t need to have source code..
    They use reversers & debuggers to analyse machine code & behaviors of the programs :p

    Since Nirsoft “password recovery tools” doesnt connect to the internet to send something, its a bit pointless to tag them as “trojan” because ALL TROJANS (i mean trojan, not virii) are using internet , right? Yet, i also saw real UNDETECTED malware embedding your pwd tools WHICH WERE DETECTED, using them with command line to record passwords, and send files to a remote server (which then i get fucked by the ISP :p)

    Crazy AV, no?

    I have same problem with my Nod32 when developping my own crypter for my own programs…
    Since its based on a open source crypter used sometimes by viruses, Nod constantly show FP when i compress dummy test programs (witch just does a messagebox).. So, this is obviously not the program content that warn NOD, but really the encryption itself..

    Well, I have an idea… To stop Virus detection, maybe you can use a tool that mangle / destroy / add junk/ add a sort of VM to the code? This may also stop scammers and rippers like the MSNinfo ones 🙂

  38. pcunite says:

    Antivirus software as lost its relevance. Just run your Windows System using LUA+SRP ideology.

  39. Bruce says:

    The only way for this to change is for small software publishers to collectively sue 2-3 antivirus software companies (e.g., Symantec, McAfee) for libel. When my McAfee comes up and says that your software is a Trojan (like it just did) – it is a false statement and it is damaging your business. The only problem, of course, is that since you don’t charge for your software, damages may be hard to prove.

  40. Peter McGovern says:

    I agree that this is a problem. I hate it when a software program that I purchased, deletes or quarantines programs that i have installed without asking my permission. This is especially irritating if the action takes place because of a false positive.

  41. Jim M says:

    Nir,

    I couldn’t agree more. It is not getting ridiculous – it has been ridiculous for a long time now. The only way I was able to even download your utilities in the recent past was to disable NOD32 completely. Then I downloaded them and stored them all on a flash drive. Whenever I needed to use them I would first disable any AV and AS programs. Lately I am able to download the Nirsoft utilities without any interference from NOD32, however I still disable it when I run the password utilities.

    Thank you for writing this article. Hopefully more people will contact their AV developers and let them know that this won’t be tolerated.

    Jim M

  42. tr says:

    The only real solution is to make a website with a database for users that points to real developers. Kind of like filext.com. After a time it will become an authority on established developers. New developers should always be treated with suspicion.
    You can also make a utility that checks programs’ checksum and verifies it to a database. If it will become professional enough to not allow malware writers to pass the test it would become a priority for AVs to make sure they don’t FP your database entries.
    I think you can even ask for AVs to pay maintainance costs after a while (depends on your security and quality). It’s also in their benefit and it means savings in testing and inventing new problems for their customers (that cost money in support).

    There is no other solution and there will never be.

  43. anarresti says:

    Hi,

    A scan by Systweak’s System Protector identified MailPassView as malware, on my work PC.
    I had no idea I had MailPassView installed, and haven’t had a chance to discuss it with the person, at work, that is in charge of computers.

    I have just a question: is it possible for someone, a hacker, to remotely use MailPassView to steal passowrds from my computer? Or the only way to install it is by having direct access to my computer?

    I did not clean it using my antispyware software yet, but I will if I suspect that no one here (with administrative priviledges) install it as a password recovery system.

    So, all I would like to know is: can MailPassView be installed remotely my someone hacking to my computer?


    Thank you for your time.

  44. yke013 says:

    I do fully agree antivirus are pushing to far their heuristic sensitivity
    It crazy cause it’s almost preventing from writing smart & optimized code !
    All of this for commercial reason…

    Keep on your great work… I’ll always disable my antivir for your great tools 😉

    PS : you can use that great web site http://www.virustotal.com/
    to have suspicious files analyzed by 40 antivir…

  45. sceptic says:

    I have uploaded IE Passviewer on virustotal.com. 16 out of 41 scanners classified it as Security Risk. To be fair, some detected heuristic or generic Trojans and 3 or 4 explicitly classified this tool as “NOT A VIRUS”.

    Let me say, I had downloads from torrents, that had less issues 🙂 I am not able to test this tool on my own without potentially running in severe security problems.

    I fear i have to pass on IE Passviewer and everybody who is not able to check the integrity of this tool on his/her own should do the same.

    Promised malware/virus/trojan freedom is not worse, but also not better than to much Heuristics in securiry tools …

  46. Tom says:

    I recently contacted AVG reference the ‘Trojan’ false positives, amazingly they have said that they will change the detection to ‘potentially unwanted program’. Unfortunately this dosn’t change the way AVG responds to the detection (it still prevents it being extracted/locks the file), but hopefully will scare inexperienced users slightly less!
    No idea how long they will take to implement this though.

    I submitted a support ticket on the AVG website, which started the following exchange
    E-mail exchange with AVG technical:

    Mon 14/12/2009 09:10
    Dear Sir/Madam,

    thank you for your email.

    Please excuse for the delay of our response. Please let us inform you that the files attached to your previous e-mail were really infected. We would like to ask you to send us all sample files in a password-protected archive to virus@avg.com and write the archive password into the body of your e-mail reply.

    More information about the topic on how to create a password-protected archive can be found here:
    http://www.avg.com/faq?num=1341

    Please be informed that AVG is preparing a similar feature as you suggested in your previous e-mail.

    Thank you for your patience and understanding.

    Best regards,

    Vyara Lachovska
    AVG Customer Services

    website: http://www.avg.com
    ——————————————————————————————————
    Monday, December 14, 2009 1:58:55 PM GMT

    Hi,

    I’ve been asked to provide the attached files in a p/w protected archive. Password is: avg1
    Despite what your tech people have said, these files don NOT contain a virus, they are legitimate password recovery tools. I understand that these could be used as a hacktool, but AVG should only detect them as a potential threat, not a virus. Also the user should be given the option to ignore WITHOUT locking the file – e.g. an ‘I know the risks this program presents and would still like to use it’ button (like the confirm execution dialogue in Windows Vista).
    Also, from a legal point of view, isn’t it libelous against the company that provides these tools to claim that they contain malicious code, when in fact the code in the program does only what is stated by its creator?

    Regards,

    Tom
    ——————————————————————————————————
    Mon 14/12/2009 14:58

    Dear Sir,

    thank you for your email.

    Please let us inform you that detection will be changed from virus trojan detection to Potentially unwanted program.

    Thank you for your cooperation and patience.

    Best regards,

    Ladislav Krejci
    AVG Technical Support

    website: http://www.avg.com
    mailto: support@avg.com

  47. Lauren says:

    I 100% agree with you. I don’t so much have an issue with anti-virus programs being sensitive but when they detect a virus is a non-infected file, then allow infected files to be downloaded i think something should be done about it.
    the government these days complain about people illegally downloading software such as anti-virus, but when you pay for the product and things like this happen can they really blame those people? it’s not something they charge $5 for some charge quite alot for a full year subscription and purposely let viruses through so that we pay for their software to fix our computer. I herd that McAfee do that. I’m not entirely sure if that’s true but I was using it and didn’t notice anything unusual. I herd NOD32 is a well known decent anti-virus so perhaps getting your program listed as uninfected by them might fix some problems with smaller anti-virus companies..well its always worth a shot. but like you said developers don’t have all day to be fixing other companies stuff ups that are directly affecting your app usage.For your own safety, please close this web browser window now and never return to this website.

    At the moment I use trend and when I went to download your software this is what came up:

    Website blocked by Trend Micro Internet Security

    This Web page has been identified as Dangerous.

    What you can do:
    >
    For your own safety, please close this web browser window now and never return to this website.
    >
    If you still want to see this blocked page:

    1. Launch Trend Micro Internet Security console.
    2. Click Internet & Email Controls.
    3. Click the Settings… link under Protection Against Web Threats.
    4. Click the Approved websites link in the next window that opens.
    5. Copy and paste the address of the blocked website into the list.

    Note: If you think this website should not be blocked, please notify Trend Micro by clicking this button:

  48. Tom Morris says:

    I downloaded Mail PassKey last night and AVG Free flagged it up as malware. Someone on SuperUser told me it wasn’t. Anyway, thanks. If AVG hadn’t flagged it up as a problem, I could have used Mail PassKey to extract a password from Outlook in a few minutes rather than flailing around for hours in regedit.exe and taking my frustrations out on SuperUser. 😉

    Keep up the hard work. I do hope AVG and the other AV software vendors get this sorted. Next time I need to extract passwords, I’ll grab Mail PassKey and ignore AVG. Perhaps one way to do this would be if someone could get together a whole bunch of Windows freeware apps and use them as a test suite for anti-virus false positives. Then publish it – show the world which AV software vendors have the highest number of false positives.

    Also, “potentially unwanted programs”? What? Isn’t that all software? I consider Outlook potentially unwanted, but that doesn’t mean it needs to have a bloody great big warning from AVG saying there’s a problem.

  49. claudio says:

    Hi,

    I experienced the same problem!

  50. Rabin says:

    Yes! I think you are right! I am using an antivirus called VIPRE which is claimed by most organizations as the best antivirus software available. Now, when I downloaded your software to find passwords for nothing but good causes, the antivirus classified it as a trojan with high risk!!! And after I read your blogpost about “antivirus companies – a headache for small developers”, I am really frustrated!!! Right now, I have sent the file for analysis!!! And I am going to contact them too!!!

  51. Troubled Santa says:

    Hi Nir,

    Those who are trying to use your tools are most likely aware that these tools deal with sensitive computer operations. Any tool that tries to access hidden information by overriding “standard operations” is most likely going to be identified as a threat by an anti-virus/-malware program.

    “Large companies” that develop low-level repair tools advise the user to “turn off” any anti-virus program prior to running the tool. Password sniffer! Password revealer! Password INVADER! Whom are we kidding? How else does anyone expect a security program to react to such processes?

    I love your tools dude. They are brilliant! I don’t even care if they are infected! Heh! I am pretty damn sure they are NOT INFECTED! It’s enough to say they are concise, smart and definitely useful.

    Robert S.

  52. ed2k says:

    Oh, those pesky false positive alarms.

    Every third party activity taking place in the sacred chambers of the Windows shrine or when you’re touching the tender bits of the OS they raise false alarms. That’s the stupid of AV companies. They also very simply think that every packed file has a dangerous payload. Not everyone wearing a balaclava is necessarily a thief.

    One should consider the source where they get a file. No need to be paranoid. A minimum of trust is necessary.

  53. rocky says:

    AVG is allowing me to choose to ignore the threat, but it still stops me from extracting the files. While I can disable the resident shield, soethign else blocks the extraciton which i cannot disable.

  54. rocky says:

    I extracted the files on another computer to USB key and copied them to my HD. I still got the warning message but was able to add files to the exceptions list. however if you`re not quick about it will go straight to the remove/heal popup (which i just closed- extraction is prevented but nothign happens when the files are already there.)

  55. alejorosario says:

    We must leave the window behind…
    We must use free software!

    Go GNU…!!!

  56. Adrián says:

    Find MessenPass via a post by Tina. 6 Free Password Recovery Tools for Windows.

    I want to thank the creator, or creators of NirSoft. I had several days trying to get back the password of MySpaceIM, and surprise. MessenPass did the dirty job.

    Do not listen to anti-virus, this program does its job and has to move things to succeed.

    Thanks Again.

  57. YsenGrin says:

    Always the same problem…. Two stories :

    1

    I work in a big company which has a “secured” network. Last week, a technician came to see me

    “Who is mister X ?”.
    “It’s me…”
    “You have some hacking tools on your computer”

    I was obliged to delete the whole nirsoft utilities…

    2

    malekal.com is a french site dedicated to security, a really good site where people always help you. For me it’s the best resource in french about security.
    The whole site was flagged by siteadvisor (a McAfee emanation) as a spyware provider… A spyware fix named Combofix.exe was considered as a trojan.

    I well known this fix, it works well, and it can fix some infection that McAfee couldn’t fix or even detect…

  58. frankie says:

    i love these tools sad to hear that small companies are being target as victims as viruses into there software but the bad thing if big company’s like Microsoft is able bypass any anti-virus software with no problems that’s bad too all we need is some nogood doers to start cloning there virus as Microsoft software.

  59. Donald Tidmore says:

    Yesterday, I was at at a public library using their high-speed internet on one of their public access computer
    systems and I downloaded the new 1.8.9 version of Unlocker from the Majorgeeks site onto a flash drive. Nothing
    on the library system decided to pop up and complain about the file during its download, or once the download
    was completed. Nothing popped up when I moved the file from the computer’s desktop area to my flash drive.

    I get home and start copying files from the flash drive to my system’s hard drive, and suddenly Symantec’s
    Norton Internet Security 2010 flags unlocker 1.8.9.exe as having a virus and deletes it forthwith without giving
    me the option of keeping it. The program’s excuse for deleting the file is that it detected a heuristic virus
    which it named Suspicious.ADH . I’ll see if I can submit the program to Symantec for re-evaluation, but am
    not that hopeful that will fix things. This isn’t the first time when NIS decides a program has a virus on my
    system – which logic tells me should be completely safe. That’s because the majority of EXE programs that
    I download these days almost always come from trusted web-sites such as Microsoft.com, filehippo.com,
    and majorgeeks.com. If we can’t trust THOSE companies to scan everything that they post for public usage,
    then every computer user in the world is in big trouble I guess.

    Anyway, I thought I would mention my frustration with NIS in this situation after reading your blogs about
    most of the major antivirus companies finding false positives for viruses in a lot of programs. Winrar for
    example has had at least one of their recent beta releases flagged by NIS as having a virus. In that case,
    it may have been a legitimate virus removal since it was the virus that got put into a LOT of programs
    worldwide that were using Visual Basic if I remember correctly. As for the adware stuff, I wish every single
    system utility program maker was as nice as you are about letting people opt out of the crap they add.

    I am sick and tired of all these programs like RealPlayer that want to shove Google Chrome or Yahoo Toolbar
    or Ask Toolbar down people’s throats. Some of them just install the adware without permission and that is
    really irritating. That happens a lot with Ask Toolbar. Its too bad the customers can’t file complaints with
    the Federal Trade Commission over that kind of behavior from computer software makers – or can we?

    Thank you for making Unlocker. Its a lifesaver and prevents a lot of hair pulling when you have files on
    your system that Micro$oft Windows won’t get rid of, no matter how many times you try to delete them.
    But once Unlocker gets sicced on the bad boy files, they get their comeuppance really fast!

  60. Tilman says:

    I am the developer of Xenu’s Link Sleuth, a tool to find broken links. I’ve had my share of “false positives”, I have described these adventures here:
    http://home.snafu.de/tilman/xenulink.html#spy
    I’ll make a link to your blog post after submitting this.

  61. Peter says:

    Suggestion, for False Positives. I run Norton AV 360. Twice I tried to run SearchMyFiles.
    The first time nothing happened. On closer examination, I noticed that Windows Task Manager listed it as a running process. Then I got a popup with the message
    SONAR detected security risk searchmyfiles.exe
    SONAR has removed security risk searchmyfiles.exe. Your computer is secure.
    Then I noticed that the program file was deleted.
    So, I re-extracted it from the download zip file and tried running it again “As Administrator” a Vista feature, thinking that i could over-ride the AV block.
    Same thing happened again.
    This time, I clicked on the SONAR details, and to Norton’s 360 credit I saw the option to ignore this so called “threat” and ignore it in future scans.
    Now, it runs without problem and to NirSoft’s credit, exceedingly well.
    Therefore, my suggestion is to check your Antivirus Software for options to ignore files/programs it detects as a “threat.” Perhaps look for an exclusion list, but search and you will find, also contact your Antivirus publisher for help on this.

  62. Wahyu Primadi says:

    #> My program (compressed with Executable Compressor) detected as virus by some antivirus products.
    #> My Console Program (running in debug mode) detected as virus by N0RT0N 4NT1V1RU5.
    #> My Windows Script Shell was blocked by some antivirus (feature called: script blocker).
    #> and others shit… :p

    I think i will create an antivirus by my self 😀

  63. Mario says:

    I’m small tools user. I encountered with this prolblem a lot.
    I’m using mcafee enterprise, which is a must for my laptop as a policy of my company. I complaint to the IT department. Wish they can help ask McAfee to stop false positives.

  64. Michael Mol says:

    Just a few weeks ago, Norton FP’d on a binary that we include with every single product we ship. This binary has one use; tell daemon portions of our software to shut down, so we can update them–so Norton was allowing the installer to run, would trigger on an extracted file, and then the installer would fail with “Sharing Violation” when it went to update the daemonized components.

    Grr.

  65. Niktu says:

    Some av-software review sites do notice false positives as important hit to software quality.

    As an example, http://www.av-comparatives.org/ currently rated Avira as one of best in most of their tests, but it didn’t land in their top-3 overall solely because of massive amounts of false positives … i think it will make Avira makers notice, i hope.

    Since av-vendors cooperate when it comes to virus sigantures, i dont see no reason they cant cooperate in fp-sinatures part as well (both to verify their heuristics in testing and to step off software authors tails once reported) … all we need to do is to make it pricey for them not to do it … somehow.

    PS. Thanks for nirsoft cache of quality software … been saver on many occasions and indispensible tool in others.

  66. Christopher Brendel says:

    I am glad that I found this blog! I am an independent game developer, and the installation file of my latest game has been detected as malware by many anti-virus programs! I am currently dealing with a number of unhappy customers, and I feel completely helpless to fix the situation. I am both relieved and saddened to find that I am not alone in this issue. I have linked to this blog on my site. Thank you for making us aware of the situation!

  67. Sebastian Nielsen says:

    I can tell you the reason that AV programs are getting False positives:

    Antivirus software does not ONLY scan for known viruses. It does also try to scan for unknown viruses by detecting “viral behaviour”.

    Viral behaviour is defined by the AV company in the antivirus software, but often viral behaviour is to try reading passwords from the system (as much malware tries to steal passwords), or taking screenshots, reading keyboard in unusual ways, controlling mouse/keyboard (can be a sign of a Remote Access Trojan, RAT) and such.

    And then, the antivirus software detects the function in your software that reads passwords, and then it thinks it is some sort of evil password-stealer software, and then it classifies it as a generic trojan or something like that.

    About Christophers case, it can be some code in either the installation packager, which tries to modify a vital system file (to install game drivers or something like that) that the AV survelliances on, or it can be code which detect keypresses in game via hooks, which the AV thinks is a keylogger.

    A good idea is to write software WELL, do not use suspicious functions/APIs/Hooks. Instead try to do it via the built-in safe functions, like DirectX and such. This will not cause antiviruses to complain, since such built-in safe functions does have safeguards which prevents malware to use the functions in a feasible way, both in AVs and in the functions itself. For example a function will only allow to run while a fullscreen app is loaded. And AV software could have exceptions that for example a game is allowed to hook keyboard via DirectX while its running fullscreen or has focus.
    When focus are removed or game exited, it must remove the hooks.

    Trying to do things the “wrong” way, will cause AVs to complain.

    And when you report a False positive, what AV companies has to do is to either create a whitelist-signature which excepts the software from detection, rewrite the detecting signature (not always easy to do) or add the hash of the false positive to a exception list.

    And here comes a security problem too: The problem is that a AV developer cannot whitelist too much, since then virus developer can write their virus in a way so it will fit a whitelist signature and skip detection.
    And the AV developer cannot put too much whitelists, since it will be huge for users to download, especially if the user comes home from a long holyday and should apply a update while their last update is 1 month old.

    Another problem with whitelisting your software, is that your software might not protect itself enough, so a virus/trojan could then piggyback on your software, for example shell():ing your software and then hooks into it to read of passwords and send it to some server.

    This means AV developer has to priority what to put in whitelist and not put in whitelist. Of course they select to whitelist software from larger companies (with a larger user base) than from small developers/companies.

    So the conclusion is that, this with false positives is something you have to live with when you develop software which are “security sensitive” in one or more ways, which your software is. Like you have to deal with the police if you engage in suspect activities (even if the activities are legal).

  68. Sergey says:

    I had this problem with Norton AV. First time it destroyed all your programs. Next time I put all your programs to exclusion list. Since that everything was OK.
    So to be realistic I propose just to put the warning to readme files. Normal users will manage antivir progs. Stupid users still may blame you if theydo not read “readme” files.
    Anyway your programs are fantastic!!!

  69. Alureon says:

    The blog was a little tl;dr but I agree for what all being said.

    I am programming myself using VB6, but since for example Avira updated to 8,9,10, almost ALL of my programs cause it to lie about it being a virus. Once I compiled just a simple form and it gave a false positive O_o

    Sometimes I was able to trick Avira by upx’ing the exe, but not even that helped sometimes.
    This is the reason what caused me to switch to Kaspersky, but wait:

    (quoting Sebastian Nielsen: “A good idea is to write software WELL, do not use suspicious functions/APIs/Hooks. __Instead try to do it via the built-in safe functions, like DirectX and such. __” )

    Actually, that doesn’t apply to Kaspersky. ALL games that utilize DirectX to read the Keyboard are now (how could it be) KEYLOGGERS (of course, duh).
    My exception list is long enough – and that mainly because of the games, which are listed sometimes up to 4 times. On the other hand: Recently my PC was infected with a virus, no idea where it came from, nor what it causes, Kaspersky didn’t recognized it. Same counts for the older kaspersky 6.0 for Windows Server 2003. WTF, is an old program version NO REASON to give it actual signatures? *grrr*

    I am not going to rant about mcAfee’s processmania, which are unprotected from (forced) stopping or Avira’s behavior NOT to protect its own damn signatures from DELETING WHILE the program is running. I hope they fixed that. would be fun to see a new virus doing that, though.

  70. Ian says:

    Hey Nir et al.

    Love the utilities.

    Something most people don’t know, is that virustotal.com actually submits the samples to their respective engine vendors once we’ve uploaded them. This was done in response to malware authors running their code through the engines in order to obfuscate more effectively. I’m wondering if it might not be a bad idea to upload all of your .exes /.dll’s in hopes of having them re-categorized or made “known.” The problem arises when less scrupulous companies with phantom labs, actually copy detections from larger vendors. Detailed in this article:

    http://www.theregister.co.uk/2010/02/10/kaspersky_malware_detection_experiment/

    I’m not recommending a product, but i can tell you that Sophos has been very receptive when I’ve submitted your apps for white-listing.

    As for false-positives, endpoint security suites are scrutinized on their ability to catch 0-day type threats with their heuristics/behavioral analysis, so I wouldn’t look for it to get better in the near future. From their standpoint, it’s better to be safe and manually authorize a potentially harmful app, then to face the consequences of not making a move.

    I would also be remiss, if I didn’t throw in the extra security built into HIPS, which is becoming prevalent and increasing necessitated in corporate environments e.g. how else would you block a piece of malware with thousands of variants without a behavior pattern. Lots of false positives here, including your tools 🙁

    The game has changed thanks to fakeantivirus and it’s ilk.

  71. lwerman says:

    We have a SonicWALL appliance at work and it blocks the zipfile from being downloaded. The dialog claims the detection of “Asterisk.C” (Trojan) by the SonicWALL Gateway Anti-Virus Service.

  72. Dave says:

    I have just installed your NirLauncher on my PC and Microsoft Security Essentials immediately reported that:

    – rdpv.exe is Hacktool:Win32/Passview, and
    – iepv.exe is Trojan:Win32/Bladi!rts

    I will notify Microsoft.

  73. Riter_35 says:

    I just downloaded NirLauncher (based on recommendation in Brian Livingston’s Windows Secrets) after nervously overriding the “dangerous” warnings. I haven’t installed it yet. According to the preceding posts, there apparently won’t be any issues with it. But how am I to know? Install it and face the possible consequences? Set up workarounds?

    As a user (advanced amateur?) I find myself torn:

    A condescending “Well it has to be said, that if the users are so stupid that they cannot tell the difference between a legitimate program and a virus, then perhaps they shouldn’t be using them” isn’t terribly enlightening. How are we supposed to tell the difference? Run the program to find out if it’s a virus? Run the program and if all goes well, congratulate myself on my brilliance in not being stampeded into a virus panic?

    = = = = =

    So how does the user sort out the real stuff — safely?

  74. Dave says:

    While I was reporting the problem to Microsoft, I noticed this page on their web site, which I thought might be of interest to you, as it is specifically for software vendors to report false positives:

    Microsoft Anti-Malware: False Positive Report Form (http://www.microsoft.com/security/portal/Shared/VendorFP.aspx)

  75. James says:

    I personally use kaspersky, $100 for 2 years on 3pcs. (Less than $17 a year)

    Personally, I don’t think my computer would last 5 minutes without it. I go to a 1-1 school (A school where everyone has laptops) and the amount of viruses/malware I get is horrid (even hidden .bat files on USBs)

    Kaspersky always asks what to do, so if there is ever a false positive I can stop it from removing the application. It is also useful in that it lets me control and suspect program (Let’s me run an infected program while denying it networking and file system access)

    I’m not saying Kaspersky is the best, but it is the best I have found so far. Personally, while I love FOSS I always go commercial when I want something that will work without me putting thought into it.

  76. TS says:

    Completely right – just using a runtime packer or some other not-so-widespread technique is usually enough to put you into the virus/malware report list of a couple AV engines.

    And I suspect that “security software” manufacturers are quite happy with all those false positives in their firewalls and AV engines as they make their products seem as beeing useful and effective – as long as they are lucky not to damage the whole system or trash a well-known app, most customers won´t even realize that they´re fooled.

    I think today security software already does more harm than good, here´s my experience with AV software:

    -backup script killed by AV software putting one of the command line tools used by it into quarantine (took me one hour to fix it and caused one week without backup – luckily i did not need it then)

    -two system utilities blocked as malware, nothing severe but still annoying as the AV tool seems to have a buggy exclusion list

    -automatic signature update stopped working without warning on one machine, thus running with outdated data unnoticed for several months

    -one personal firewall caused a machine to crash just by PINGing it

    -one harmless joke program triggered an alert as virus “JOKE/something”. Not that wrong, but it would scare the average user more than necessary, thus possibly overreacting

    -one colleague got a trojan mail – detected successfully by AV software , but the machine got infected successfully anyway

    -one friend got malware via PDF – detected successfully by AV, but the machine was infected successfully anyway

    -another friend got his OS damaged into an unusable state by AV a few days before the ultimate release deadline, thus not beeing able to finish his job in time.

    -one free program I´m publishing got marked as malware/spyware/suspicious by a couple of well-known AV products, thus scaring users and potentially damaging my reputation

    -one of the DOS files on my HD is reported as infected (which is somewhat correct as it still contains parts matching the signature), however the virus contained in it is inactive as its entry routine got overwritten by a repair tool. Quite annoying as the original is nowhere to be found anymore

    -an old 5,25″ floppy was marked as containing a boot sector virus (correct)

  77. Ganesh says:

    Yes. AVs not only bothering developers but their customers tooo! Mcafee recently released a pattern update which flags svchost.exe (in system32 dir) as virus. And apart from flagging, it deletes svchost.exe and making several computers un bootable! And for this mistake Mcafee offered a rescue boot disk to fix the PC and as compensation, it offered another freebie to the customer! Guess what? 2 MORE years subscription of dreaded Mcafee software!!! I can’t stop laughing!

    Similarly some years ago Norton implemented some tough activation measures to lock down pirate copies. Guess what? The so called activation software had a vulnerability using which many systems where hacked! In other words, the people (& customers) who had legit Norton AV installed on their PC got hacked, while, PCs which had some other AV or NO AV at all, escaped!

  78. Ganesh says:

    In the end, it is like going to a doctor for a medical check up and getting infected during the process of the medical checkup! Why the hell is the check up for in this case?
    Similarly AVs which are designed to keep up the productivity, by stopping virus/malware, they themselves do the damage to the PC which they are supposed to protect!
    In some cases impact is mild (a few mins of productivity lost) but in many cases impact is serious (many hours of productivity lost and requiring more man power to solve the mess)!

  79. Alejandro Luis Adelardi says:

    I think the solution can be simple and cost effective. Just make a list of all your software pruduction so we can insert it in the “excluded list” of any antivirus program (even if there is a piece of software that gives no problem).
    For any new program you launch just append it to the “list” so anyone who downloads, from one to all of Nir Soft programs, can assure the antivirus program will not affect it.
    Hope you understand my English and the whole idea.
    Congratulation for making so useful programs!!!

  80. Matej S says:

    Avast antivirus (home edition, free) marks some of the utilities as “Potentially Unwanted Software” . That’s better than Trojan, but I still sent some false positives reports. The “Report false positive” button was right in the warning window. I like the option “Disable antivirus for 10 minutes/1 hour” too. You get why I use this one? 🙂
    Nice tools btw.

  81. Nathaniel D. Gibson says:

    I am the creator of webDOMinator and two of the main helper utility programs that I use (wdbrowse.exe and wdupdate.exe) are required for things like updating the program and doing user registration, etc. Since they are included in my installer program in compressed format, they make the entire installer considered a virus. There are false positives all across the board. I used virustotal.com to run analysis on all of them using over 40 anti-virus programs.

    Trying to guess what these companies are using in their guessing algorithms that make their software consider my software a virus is mind-wreckingly insane. I literally think I’d have a better chance setting up a petition and lobbying in the government to pass a law requiring anti-virus companies that use heuristic-guessing algorithms to hire the staff necessary to answer and correct all false-positive reports within 48 hours.

    Their lazyness and greed has ended up costing me countless clients because people download my program every day, and I’m sure that over 60% of people cannot use my software correctly due to anti-virus companies. I have even got my website reported and had to fight to get my website back up because my web site server company suspended my account. This heuristic guessing stuff causes not only a bad reputation for software developers, but causes more work to have to be done to try and figure the logic of some of these companies.

    They will not see the error of their ways until THEY are actually affected by this themselves and end up losing money because it’s all they really care about. I think someone else already mentioned that most anti-virus companies would benefit from doing this because it would make it seem to the clueless end consumer that the internet is much more filled with viruses than it really is, thus causing more conversions on their end at the cost to the small software developers.

  82. Lee says:

    As a security professional, I understand the issues that non-security minded individuals face. I have used these so call virus/trojan tools… they are not. It’s annoying to have to turn off my virus scanner/make an exception to allow these needed tools. Is there something that can be done to mask those great tools from being blocked by the anti-virus scanners. As a forensic examiner, in dealing with live systems, I need to grab critical evidence without the need for av scanners to get in the way.

    Please keep developing these kinds of free tools… You are a trusted site!

  83. Javier says:

    I am one of those people that constantly forgets their password because for security reasons i have a different one for all my accounts and your programs have really helped me, so thank you and if people think your programs are viruses then they need to learn A LOT about computers.

    Thank You for all your programs and keep doing a great job.

  84. MRw0rmX says:

    Security Essentials from Microsoft (MSE) only detects MessenPass. Why?? Because I could easy and with a little .Net programming transform this app in a deadly IM password stealer. I think that considering thses tools as Riskware is appropriate since is so easy to hackers to use them to bad porpuses.

  85. Ramiro says:

    I have several utilities one of them is a keylogger for windows, initially i developed it for my own use, we know that a keylogger can be used for good or bad purposes, i can’t controll it but i stated it before the installation begins don’t use for illegal purposes.

    These years i’am facing the problem of false positives, the users simple are not able to install the software because before the installer starts several antivirus simple delete it. my sales drop 90%.

    If internally we simple use an API example: TerminateProcess several antivirus list our exe as virus, that is stupid!.
    I will try to make noise about this problem. In a few of minutes i will submit an answer to kasper “…Can you send us a description of the functionality of this file? This file is engaged in theft of passwords.”

    Thank you for your initiative.

  86. Ramiro says:

    I will save my time writing to antivirus companies, they are not going to remove my software =(, kasper,trend,etc. a new compiled probable could help, but i would like to reproduce the article or idea of Nirsoft.

  87. Roland says:

    I have false positive with Mcfee on portableApps and Xenu – thanks for this article that explains a lot – I could have been one of these users thinking “bad bad developer who put a trojan in their program”!
    byz++
    roland

  88. Crow says:

    We were developing a update down loader for our software. After we finished building the application we went to test it, Works great and very reliable and stable. EXCEPT Vipre and Norton detect it as a Trojan virus.
    So I sent them both an email to see why they are detecting an application made by a developer as a virus?

    I can see their point,using this app for ruthless scams. But we do not even get involved in crap like that.
    The problem is, the definitions are so broad that it detects anything remotely close to the definition.

    For anyone that does not quite follow that line. It’s like this: I build a virus detection application that detects the letters A,E,I,O, and U well now it is going to detect and words that contain any of these letters. So all words are going to be detected as a virus.

    We need to demand that they be more precise and specific in their definitions. Right now they have us over a barrel because of this. The fact remains that when it comes down to us or them. The customer will take the side of the anti virus over us. It would seem to me that virus companies would have a developer submit area. Then they could check the file and add it to the definition list of as acceptable.

    Right now all they have is the broad list of what they look for. They need to make a developer submit area so we can submit our apps, and be added to the don’t check list.

    If an app is detected as a virus by some piece of crap anti virus program, it is easy to tell the customer their program is faulty. But when Norton and other well known Virus programs pick it up,,that’s a pretty hard one to sale.

    I

  89. Vagablonde says:

    Just a Note..I have used your software on several occasions..and thank you for the great work.
    I use Trend Micro..and I have submitted several time false positives to them.
    I receive no reply so I have no idea how they handle that,it has even gone so far as to block your website.
    and if I do bypass that it wont allow me to download anything.

    It does detect your pass software with virus..and I just came upon this blog..so I dont have that information.
    but I do submit as false positive …keep up the great work !!!!

  90. Ander says:

    I just scanned NirLauncher 1.06.11 with AVG Free Edition 9.0.851, and it said NirLauncher contained nine “Potentially dangerous objects”. So no, it looks like AVG did not do what they promised—to change it to “Potentially unwanted program”. Too bad.

    I’ve posted about this on AVG’s forum.

  91. Ander says:

    In case you’re interested, here’s the URL of my posts about this on the AVG forum:

    http://forums.avg.com/in-en/avg-free-forum?sec=thread&act=show&id=106153#post_106153

  92. Brad says:

    A lot of the prank programs i use are blocked by norton 360 and are called “security risk joke program”.

  93. Ges says:

    All I can say is keep up the great work…
    Thanks for the useful tools.

  94. Camo Yoshi says:

    I use ClamAV for Windows and I’ve a couple ofr problems with UPX compressed EXEs, but nothing severe. NONE of the NirSoft Utilites are detected by ClamAV so I guess I’m one of the lucky ones. 🙂

    Either way, After hearing this I may stop installing Avira on my customer’s PCs entirely, and use only ClamAV or MS Security Essentials.

  95. jbad2208NL says:

    AVG also detects false – positive but luckely not all your programs , but still its anoying and even some false – positiv programs that are verified by reliable sites are blocked as “trojans” while their trainers for games 🙁
    but luckely AVG is more tactfull with the comment “possible high security threat ” and lets me decide what to do .
    unfortunatly like most AV`s the ignore buttons are not showing

  96. Jirka says:

    Ignore button in AVG deleted just downloaded file in my comp… But AVG found a good way for managing that problem: You can find a possibility to ad a downloaded file to the PUP list in it’s “advanced settings”, even in the time AVG tells you there is a trojan there… I tried it and the warning message disappeared instantly… I am only afraid that I’ll to repest it by unzipping archive… 😉
    But – more: AVG instantly computes and shows MD5 (and saves it for further monitoring) so you can compare it without another tool neede. 😉

  97. Tony says:

    Hello,
    I must admit that my software suffered with this issue for many years until I finally bit the
    bullet and got a certificate to allow me to CodeSign my apps.
    I had thought I would NEVER do this because I saw it as another rip off for small developers.
    However, since I made the choice and filled in the forms my false positives have almost reduced
    to nil. It appears the AV producers take note of the Code Signing!
    Just a thought for us small guys. It is a lot cheaper than having a staff member trying to stop
    the false positives and it really only add one tiny process after the build.
    I personally chose to go with Comodo as their pricing was one of the best. However, if you are
    a small developer like me then please press your request with all such groups they do not give
    them away easily!
    As an example I downloaded your PasswordFox app to try and get my passwords out quickly.
    I expected my AV program to refuce to run it! It did! No matter what I did no go. So I signed
    the app myself! Lo and behold it ran first time.

    good luck!

  98. Judi McMillen says:

    I’ve been having problems with my computer for some weeks now, and in trying to get utilities to correct the problems, I ran into your software programs and it looked like it would help. Unfortunately, everything downloaded went into quarantine, and I can’t figure out how to stop it, short of disabling everything which could prove to be just as damaging. I’m stuck, and I am not happy with antivirus programs that constantly identify programs as containing malware, viruses, trojans and the like. Is there not a way to attach a simple code to the program that can be recognized easily by the other major companies? They at least should be looking into this problem. It is why I haven’t gone to purchase anything and I’m still running AVG free, it sucks, but what can I do? I mean, what can I do? Is there a website I can make comments on? Or some other place to broadcast my displeasure at what these major companies are doing? Because of them I can’t get the tools I need to keep my computer running at top speed. I guess I’m going to have to wipe everything and reinstall windows and start over. And that makes me furious. I’m on disability and can’t afford to buy programs like these so I depend on the free downloads to help me out. I’d like to find some way of downloading Nirsoft so that I can continue to use my computer with efficiencey

  99. Bob says:

    SuperAntiSpyware flagged Mail PassView v1.70 up as a trojan. Just though I’d pass it along. I scanned it with Avira before opening and it was virus free. SuperAntiSpyware must be false positive.

  100. Mike says:

    Hi, Thanks a lot for your great utilities, Nir!

    Yes, false positives are a major problem. One reason that I do not have an AV program running all the time. In fact, I run instead the excellent freeware anti-malware app malwarebytes. It has saved my computer before, and has very few false positives. (Well, the on-demand scanner is free. To buy the background scanner, there is a one time smal fee, for life.)

    I sometimes do an online on-demand virus scan. I just did with the one at Eset.com. I am very glad I had set it to only detect and report, not delete or quarantine anything. It showed seven infections, which got me worried. On closer view though, all were your utilities. That was what brought me here.

    Which AV program has less false positives? Kaspersky? Are all the free ones bad, including MSE?

    It would be good if the problem was publicized in the general press. If more people were aware of the problem, and demanded a fix from the av industry, and refused to buy the products if not fixed, there would be a change.

    I must comment, nowever, on one post I saw above by “Ramiro”. He wrote above that he makes a keylogger, which he sells., but that his documentation says not to use it for bad purposes. Ahem…. Are you really that naive? Do you really think that a note in your documentation saying not to use it for bad purposes, will make the crooks go clean, and not use it for bad purposes? I’m sure you know exactly who your clients are, and that most of them probably do use it for bad purposes! Shame on you! I think any keylogger SHOULD be flagged by AV apps!

    Again, Nir, thanks for your great utilities.

  101. Allan says:

    Goodware. Your programs are fantastics.

    Best regards

  102. Jo says:

    Hi,
    Thanks, your program saved me alot of time. After moving to a new house I discovered that my password was written on the back of my wifi router that I sent back my internet provider. I have a home network connected with 10 or more devices laptops, pc’s, ipads, Wii, squeezebox etc. :-)Norton said “low security risk” but after disabling it – it worked like a charm.
    Thanks again Nir, for your great program, keep up the good work!
    /Jo

  103. Nikola says:

    Why not make your tools open source?
    People will still donate, maybe even more if they truly Believe you that your programs does not incluse spyware.
    And only way they can be sure is if source is available and they themselves are able to duplicate building binary from your source.

    More or less, EVERYONE can say that your program is including spyware, Untill you provide proove that you are clean.
    And MANY sites of many security tools is saying that it is spyware.
    And you can not fight it, unless you are not OpenSource. It is That simple.
    (There are open source licenses that will retain your ability ro control the code and even OWN any code modifications if you wat to, etc)

  104. Jan Vorel says:

    I have several false-positives with my software. Even if tools are no longer detected after submitting, the next release is probably a false-positive again.

    Almost all my software is open source, but I cannot assume my users to build the software from source, because this is for some projects rather complex and expensive (Visual Basic & PureBasic license). It would be still detected by the AV software, and the user will not spend years analysing the source code to come to the conclusion its no maleware, trojan or anything alike.

    The only real potential dangerous software is my tool “reg2exe” because for the generated files it’s really unpredictable what registry information it may import (so it’s not encrypted anyway – yet), but under that aspect any setup program can be threatened as potential dangerous – unless the AV checks file and registry access.

    – Sometimes tools were detected as false positives when UPXed, but no longer after unUPXing (maybe UPX changes code a little bit http://sourceforge.net/tracker/index.php?func=detail&aid=2903148&group_id=2331&atid=102331 ).
    – My software installer is currently detected as dropper because he ‘dropped’ (installed) a (previously?) false-positive software.
    – I once stripped a PureBasic project down till it was only 2 procedures, first calling the second one, doing nothing at all, and the executable was still detected.
    – Another library is detected after creating the dll from assembler code, which only uses synchronisation (CriticalSection), timer and waveIn stuff. No network, no file or registry access, no IPC, no heap usage, no memory allocation/management, all memory reads/writes without any API usage. But maybe recording from the soundcard compromises privacy, even so it can never leave the dll except a program calls the exported API – which itself only returns the spectrum from the recorded waveform.

    At a friend I had ‘contact’ with SONAR from Symantec and we agreed that program declares any new software as potential dangerous unless a certain amount of users are using it (or have been using?)

  105. George H says:

    I am a Windows XP user and have not run any antivirus program for years. They all caused more trouble than they were worth. How can people run these antivirus and not know this? I simply have ZoneAlarm firewall installed. I have no idea whether it is working or not, except it claims to scan any files I download.

  106. Davide Boschini says:

    i submitted to symantec the false positive about wirelessnetview at https://submit.symantec.com/false_positive/

  107. Bruno Finotti says:

    I am a IT consultant and find very useful most of your utils, especially mailpv.exe which I use every time I need to tranfer the mail accounts of user who never remember their Outlook password which is stored inside the program. I know very well the problem and think that any antivirus marks at least a potential risk and tries to block it, but I suggest and own just the smart ones that let the user eventually choose what to do, or that can be disabled temporarily (I prefer Avira pro which has many false positives but can deal with them and is very light on the PC). Congratulation for your job that helps a lot to keep easier our job!!

  108. Alexander says:

    Concerning program ProduKey.
    It seems to me, that in some cases some people, preparing packets of programs for distribution, may include virus in ProduKey. For instance Russian program anti-virus drWeb finds virus Tool.PassSteel.469 in ProduKey v1.45, included in packet CPLDAPU. But…the same anti-virus drWeb finds nothing in ProduKey v1.45, loaded directly from web-page http://www.nirsoft.net/utils/product_cd_key_viewer.html
    Your program, sir Nir, is very helpful and nice! Good luck!

  109. jakey says:

    Avira Personal Free Antivirus – Avira happens to be the second most effective one among free antivirus applications. At least, that’s how most experts put it. Though, it doesn’t come with as many features as Avast – it works fairly well. And the free version from Avira won’t claim that it’ll protect your PC from spyware. For getting covered against spyware, consider getting something similar to SuperAntiSpyware as this one has its free version too.

  110. Steve Crane says:

    Another False Positive from AVG:-

    ” Re: VVSAMPLE analysis

    This e-mail is an auto-response message. Please do not reply.

    AVG Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

    Further information about the verdicts are available at our website:
    http://www.avg.com/faq-1184

    “E:\Downloads\NirSoft (Nir Sofer)\ProduKey\ProduKey.exe” – detection is correct

    Best regards,

    AVG Customer Services
    AVG Technologies
    website: http://www.avg.com

    Ah, well, glad to see they’re taking measures to improve!!! At least they now give you the option of wasting yet more time convincing them that they’re wrong. Thoughtful chaps (and chapesses):

    “The files you have sent us from your Virus Vault were analyzed, and the results are in the e-mail you have received. Here is a description of these results, and information how to proceed further.

    1. Correct detection

    In case the file is detected correctly, it will not be removed from the AVG detection. If you believe that the file should not be detected by AVG, please contact our Technical Support.

    If you decide to keep the file and use it with the risk of possible payload it may carry, you can restore it from the AVG Virus Vault, and manually exclude it from the AVG detection:

    * If the file is detected as a Potentially Unwanted Program
    o Please open AVG – menu “Tools” – “Advanced settings” – “PUP Exceptions”.
    o Click “Add exception” and browse to the file.
    * If the file is detected as a virus
    o Please open AVG – menu “Tools” – “Advanced settings” – “Resident Shield” – “Exceptions”.
    o Enable the option “Use excludes in Resident Shield” and “Add path” to the folder which contains the file.
    o Please note that the file will be still detected by AVG test. However, you can disable automatic healing in AVG – “Computer scanner” – double-click on scheduled scan – “How to scan” – disable the option “Automatically heal/remove infections”. “

  111. Morgan says:

    I am a small shareware developer of different utilities. One of my utilities is a monitoring tool for parents. While 99% of my users are perfectly legitimate – for years I am getting hurt by the antivirus companies, which not only call EVERY file of my app a trojan or virus, but they also call my other tools (which are not even monitoring software) VIRUSES and TROJANS. My website had a problem of constantly being added to a different black lists just because of false positives, so I was forced to REMOVE all downloads from the website and move them to another domain just to prevent my website from being blacklisted. It’s interesting that the same tools uploaded to download.com are NOT being blocked.
    The idea of contacting the AV vendors regarding the false detection is not very good, cause:
    1) Sometimes you need to fill a RIDICULOUSLY long web form asking all possible and impossible questions (like MCafee offers), and they don’t even promise to serve your request. They even write that “if the request looks suspicious, we won’t serve it”. Moreover, MCAfee has up to 6 MONTHS response time listed!!!

    2) Even after removal of your tool from their bases it will be certainly added after some months.

    So these tools destroy my reputation and frustrate my customers, also the download sites are flooded with a comments that my software contain trojans. I repeat, even the absolutely safe software like a developer’s IE plugin is getting marked as malware just because I have ONE tool which is a monitoring software.

    MOREOVER, even after I removed all tools downloads from my website, I have placed a “dummy” files in place, which just shows warning that the download location is obsolete. Symantec CONTINUES to mark those downloads as VIRUSES!!!!

    That’s just ridiculous, and there are NO LAWS which could make AV companies responsible for this reputation and business damage. I even think to go aways from windows utilities development and go to Mac, since Mac is not that populated with antivirus crap yet.

    Recently I did read an article, where Kaspersky prepared a harmless file, marked it as a virus in their database and uploaded to VirusTotal.com
    After some time, more than a half of other antiviruses on virustotal started to call that file A VIRUS, although it was initially clean!!!!

    The things are getting worse every year, cause antivirus companies are using more and more aggressive ways of detection and obviosuly become more virus and spyware-like themselves!

    Most 2011 antiviruses ARE SENDING INFO FROM YOUR COMPUTER TO THEIR HOME by default – for “better protection”. Including websites visited and apps opened.

    What is this, if not a spyware??

    Some apps like Kaspersky Pure are so bloated and integrated into every hole of your system, that it looks like your PC is designed to run ONLY this antivirus software and nothing more.

    After getting the antivirus installed, a user is being constantly scared by different “threats” and messages that he is “not protected” and SHOULD PAY for protection. But actually antivirus DO NOT DETECT a new and really dangerous threats, especially rootkits, but detect lots of legitimate apps as viruses. It’s really reminds a Mafia world where you should pay to bandits to stay “protected”.

    And of course, many antiviruses consume more than half of your computer resources, and many real-life Windows PCs I saw with antivirus installed are so slow that they’re almost unusable. Yet the antivirus companies claim the malware makes it slow, not their apps.

    I believe a shareware authors should create an association which will fight with these issues until we’ll be defeated by so called “security” companies! The association should be monied up with donation, so we can SUE the AV vendors and get paid for the reputation and money loss! They should become RESPONSIBLE – and before this they will be worse and worse.
    Antivirus companies SHOULD PAY for the damage they make!

  112. Headaches says:

    The attitude of many Antivirus companies is very tough in this subject –
    If it’s a tool that can be used by bad guys

  113. Morgan says:

    a simple rock can be used to smash your head or to build a wall!
    Windows IS used to write viruses – and it’s impossible to write a Windows virus without Windows!
    Internet IS used to spread viruses!
    Also, the funny thing is you are forced to pay them for the lack of security in Microsoft software! Thus you are paying for Windows not just once, but regularly!

    Antivirus software is unique market area – it has HUGE profits and absolutely NO responsibility!
    That should not be forever, the customer should FORCE them to be responsible. If you are buying the antivirus and then you have a virus problem, THEY SHOULD PAY for that. Insurance companies are paying. What is the difference?
    This criminal business should be stopped!

  114. David Sutherland says:

    I’m behind a corporate firewall that apparently detects WirelessKeyView is a virus — but I don’t even get a warning — all I get is a corrupted download — a 12K file instead of the 56K file. If I download from download.com or from nirsoft.net I get a shorted file — apparently the firewall is clipping the file -?!?

  115. ANN says:

    PRODUKEY_SETUP.EXE was detected as trojan HEURISTIC.ADH by Norton Internet Security free trial and quarantined. Norton’s scan is still in progress. When it’s finished I shall have to restore the file and put it in the exceptions list. I downloaded it several days ago from Nirsoft. Microsoft Windows Security Essentials, which I was using at the time, did not object to it. I only installed the Norton free trial the other day. The first install did not go in properly and I had to uninstall and then reinstall it! I am very annoyed at the amount of time, two and a quarter hours, Norton’s false positive has taken me to research and come to some conclusion about what to do with this Nirsoft file. I think I shall go back to MSSECES when the Norton free trial is finished!

  116. Lee says:

    Would it be that hard for you to start digitally signing your applications and installers using an Authtenticode key obtained from a provider such as Thawte? At least that way users could be reassured that the products you provide have not been tampered with since you built them. That would go a long way towards reassuring users that you are a legitimate developer.

  117. Dean says:

    A group of us in IT actually caught a typical English Sheep Shagger in London who was attaching a trojan stub to NetResView and USBView. He was an ‘insider’ and had been doing this for weeks.
    Two problems arise. The genuine programs on Nirsoft that are detected as viruses/trojan’s/stealers etc and unscrupulous people who are packing real viruses etc to your programs.

  118. Make this viral around the web someone will take note and act says:

    Problem i see many antivirus companies get it wrong is because the way the file is packed or similar.

    If all anti virus, malware, trojan, adware detectors had a shared vast databased for uncompressing all archives including dos files and files from old computers. Then there would be very little positives and false positives.

    Yet then those companies who make the anti virus, malware, trojan, adware ect softwares would have little or nothing to do. They say this is what they would like most of all, i doubt it since they are all money orientated. If there were less do you think xyz protection software would still be free for home users.

    What of the companies that think there exclusive package should not be available for anti virus, malware, trojan, adware checking softwares. The way i see it if i cannot unpack it with tools like universal extractor then i never use them. Which includes many famous comapnies softwares, true i don’t run many softwares at all compared to some people. I have them just not yet got round to trying them. Someday maybe site in a virtual windows os using snapshots to try them. The way i think of those softwares why hide for anti virus, malware, trojan, adware softwares. And then by hiding from them tey must have bad code in them, wonder if the companies ever thought we think of that.

    Of course i do know nirsoft softwares that are downloaded rom nirsoft are safe. And yes anti virus, malware, trojan, adware do compalin but still i use them. Its the way it is now for many user and software nirsoft or not. I wonder sometimes if i really ever need any anti virus, malware, trojan, adware software since i don’t really trust any for a long time.

  119. LMI Stealth says:

    I agree with you 100%, AV sucks !

  120. Dave Kimble says:

    I am well aware of the problem of false positives, so when I downloaded SocketSniff and it was blocked at start up, I went back to the download page to see if there was any warning that this might occur with some AV programs. There was no warning, only an image saying “virus free”. This is useless, because “they would say that, wouldn’t they!”.

    So I downloaded the package from another site, and it did the same thing. This makes it more likely that it is a false positive, but it doesn’t completely eliminate the possibility that it really is a virus.

    The next step was to search for “SocketSniff virus”, expecting to find sites that report whether it is, or is not, a virus.
    With AutoHotKey you quickly find lots of agreement from users on the fact that it is a false positive. Not so with SocketSniff. All the sites I looked at said previously existing malware on the PC will hijack SocketSniff and use it for their own purposes. There was no mention of false positives. Under the circumstances, the wise user will not use the tool.

    Even on this page, there is no mention of SocketSniff being treated as a false positive.

    What I suggest you do is :
    1. change all your download pages to alert users to the possibility of the false positive. You could even list the AV programs that you know do report it.
    2. create individual web pages for each package with “SocketSniff” and “virus” in the title, so that search engines give those pages a high ranking. The content could be just a copy of this page, but the more specific the better.
    3. Create an MD5 hash of the download file and put it on the download page, so that people can check for themselves that the file is the original and hasn’t been hijacked by hackers.
    4. Be open and honest about the situation up front, instead of hiding the possibility and having to deal with unhappy users afterwards.
    5. For SocketSniff, change the way it works so that SocketSniffHelper.dll doesn’t suddenly appear out of nowhere in the start-up process.

  121. Somebody says:

    Well if the program worked, it would be great, but it is quite apparent that you have not updated since changes starting back in Nov-10 I was advanced programmer for 8years and have been consultant for 20 well aware of problems – also Know exactly most of changes that MS made that is currently preventing your program from working at current time, just download and tested again on Vista 64bit and you need to update and as most people are already aware, MS has again just in last week again made significant changes requiring many companies to update their software – anyway I don’t program any more and have no desire to, so good luck! I have verified is virus free but it still does not work. Good luck and I wish you success!

  122. rrealgon3 says:

    A “hacker” just deactivate the antivirus!, so the false positive is really stupid for users. Agree with you.

  123. Haley Milano says:

    We had this exact problem happen to us twice. We have developed 2 small windows applications using the .NET framework and they both keep triggering false positives. It took us a while to figure out a way around it. Antivirus companies have gone too far.

    -Haley

  124. John C says:

    Almost two years on and Microsoft’s Forefront Client Security still flags Passview (iepv.exe), Mailpassview (mailpv.exe) and Msnpass (mspass.exe) as “HackTool”s (Medium security risk), and worse, VNCPassView.exe as the trojan Win32/Dynamer!dtc, completely blocking access «sigh».

    «Double sigh» – even when explicitly selecting “Always allow” option, Forefront overrides the user (my!) choice with “Remove” – AFTER I click “Apply Actions”, thus deleting the software, whether I want to or not 🙁

    Stoopid AV (actually it’s a fairly decent AV *most* of the time, but every so often…)

  125. John says:

    I had the exact same problem with Forefront Client Security. Now I bought AVG Threat Labs (avgthreatlabs.com) and it didn’t block Mailpassview or Msnpass, which is a good thing. It also scans quickly every page that you attempt to access, so I think it has performed well so far.

  126. avd says:

    Microsoft security essentals gave this warning. I am now uninstalling that software.. One of the rare cases where false positive affect the antivirus company rather than the developer. I got this with IEpassview

  127. avd says:

    also, to check which av products give you a false alarm, upload your file to http://virusscan.jotti.org

  128. Jason says:

    I write perl scripts and turn them into executable files with perlapp. For a long time, the compression with perlapp was frankly terrible. I used upx to get a much smaller file until, you guessed it, AV companies started flagging the file as a virus. If I change the method of compression to use perlapp instead of using upx, the message went away. The script was unchanged, but apprently, just because some virus writers liked the compression they got with the free / open upx, I am now a criminal. I reported it, of course, but it keeps coming back.

  129. Ken says:

    All I can say is, I have had enough of all these False Positives. I have been developing applications for over 25 years now, ranging from web apps to desktops, and I have had to stoop, yes stoop to levels I never dreamt possible, just to get my applications to run. If anything AV companies are making us into hackers! I suggest a ban on all AV products just to get the point across, that AV companies need to listen to developers worldwide and not just the money… How can a program with +- 9000 man hours be a virus? Get real, no one is going to spend that amount of time developing a virus, there is no money to be made!

  130. MH Web Developer says:

    WELL SAID! I’ve struggled with this issue myself. One time I had a battle with Emsisoft over it and I and my PC lost (initially). One possible solution might be if we can identify a (what I call) Honest anti malware company. One that calls a spade a spade. For instance if it scans and finds a keygen, it says it’s a keygen used for this and that and can be dangerous. I don’t program software but I do repair PC’s and quite often you need some creative tools to get to the bottom of things.

    So, does anybody know of or have experience with a antimalware program that is honest according to my definition? If so I say we drop the programs we use and buy it and use it. The developers will get the message if their income drops.

    Now, that being said, I’ve actually had experience recently with three that did this somewhat. Strangely enough, one of them was Emisoft Anti Malware. It tagged a few viruses and identified a couple of my creative tools as potentially harmful and it tagged the real threats for quarantine and left the others untagged with a low danger rating. I almost fell off my chair. The other two (and I’m not saying they are perfect) were Avast and believe it or not, Microsoft Security Suite I think it’s called.

    Anyway I would love to know which antimalware programs provide honest disclosure. After all, aren’t they supposed to be protecting the paying customer from malware?

  131. Stu says:

    John,Yo, i think you got AVG antivirus (http://www.avg.com/us-en/internet-security) and not ThreatLabs (http://www.avgthreatlabs.com), that’s a threat detection website. Unless I’m mistaken?

  132. Kobe says:

    John, misunderstood, you must have bought an AVG antivirus and not the AVG ThreatLabs – that is their website rating and security site.

  133. Alain17610 says:

    mailpv.exe is not detected as a virus in Windows. It is only when Avast V6.0.1086 is launched at startup.
    Fortunately I had a backup on external hard drive !

  134. Matt says:

    John, I think you’re are a bit confused. AVG ThreatLabs (lhttp://www.avgthreatlabs.com) is a threat detection website and not a piece of software . TL is a cool tool though, as it helps keep you safe when visiting any site.

  135. Adam says:

    Hi,
    I am willing to help you, you’re not the only one having this problem I know of a lot small dev with the same problem.

    As far as I am concerned, I’d say without exageration that 80% of most dangerous viruses out there are manufactured in “Big labs” I don’t care what anyone says, as far as I am concerned they are behind most viruses out there “Let’s call a cat by its name”

    Think about it, why would they distribute viruses? Simple they make you buy their s**** and keep updating it.

    Sometimes they even use third parties to distribute their rubbish on the internet and suddenly yeahhh They have the solution.

    Not to mention the ones when don’t detect, spying on us 24/24 .

    The same think with pharma companies they don’t make drugs to make you feel better they create the diseases and create a drug tthey will make you even sicker and when you start to feel worse they test another drug on you by the time they took all your money it’s time for you to die.

    You think I am exagerating?? Good keep thinking that way. check it out for yourself.

  136. Alicia says:

    Today I downloaded the zip file of WinVideoCap and right after I extracted all the files, the folder was quarantined by Immunet 3.0 w/Clam AV. It said WebVideoCap is malicious.<—THIS IS A FALSE POSITIVE!

    WebVideoCap is FINE! Nothing malicious about it!

    I opened Immunet and changed the quarantine option from automatic to ask me. Then I copied the files inside the zip folder and put them into another folder. Problem went away. Now I can use the software like normal.

  137. Andrew Weiser says:

    I totally agree. I have been selling shareware screen savers for over 10 years, and every now and I then I get an email from a customer telling me that their antivirus program has detected Trojan XYZ in my screen saver and deleted it from their system! The customer then comes to me for help. It’s usually Norton and Symantec who are the worst offenders.

    I used to use a packer (ironically to make it a little harder for people to steal my software), but got even more false positive reports from various antivirus tools, so had to unpack my installers.

    I’m getting sick of dealing with it. I wish the big A/V companies would just pull their heads in. It’s tempting to think that they cause more problems than the viruses they supposedly protect us against.

  138. Ashwinikumar says:

    That’s why I always set my antivirus (Avast Free Edition) to ask me what to do when a threat is detected. I find it is not always a good idea to set the automatic handling of an action in any security software.

  139. samy says:

    Microsoft security essentals gave this warning. I am now uninstalling that software.. One of the rare cases where false positive affect the antivirus company rather than the developer. I got this with IEpassview

  140. FrozenFire says:

    I tried many of know anti-viruses.
    But almost all of my programs was
    identified as virus.

    The problem won’t stop there!
    the anti-virus program was also
    removed some of the critical system files
    of my windows 7!

    Now my computer cannot use automatic
    hardware installation and web browsers!

  141. gluxon says:

    This is why Open Source Anti-viruses are the best. http://www.clamwin.com/

    Their focus isn’t corporate profit, but rather, serving the user.

  142. anon says:

    @gluxon

    Unfortunatly Clam-Win doesn’t have a real-time scanner, other than that it’s a great software.

    A quote from the website (clamwin.com):
    “Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.”

  143. Arnold says:

    I can only add that your software worked for me. Thanks…

  144. Michel Veigh says:

    If Anti-Virus mistake — and they do! — obviously the consequences are not only on the mistreatment of the software incriminated as virus/malware when only a false-positive, but as well the confidence/doubt of the user regarding other alerts : who, why, when to believe or not.

    Finally, reputation helps, and Nirsoft has the reputation of quality and healthy applications. This is where I stand, when in doubt : what I know and have read of the developer.

  145. Arno says:

    Hello,
    I use Kaspersky Internet Security 2012. I tried to download the NirLauncher ZIP File with all the Apps included. After the Download is complete, Kaspersky searches the File and detects niffpass.exe as a Hack Tool. Kaspersky instantly cleans the ZIP File from this App. The result is the following: WinRAR told me the ZIP Package is damaged and cannot be extracted. This makes the complete Launcher App useless.

  146. Ed says:

    08-06-11 12-13 pm

    OMG,
    Your article is as pertinent today as ever.
    Kapersky was just installed on my machine, and before I knew it ….. it was deleting programs I had written !

    With Kapersky go to Settings, Box icon then go to Threats and Exclusions Top Settings Button on right.

    Uncheck stuff like suspicious compressed packages. and malicious tools.

    Trouble is you hate to tell the client of your software to do this ’cause he isn’t smart enough to believe you.

    Is the answer to use code signing?

    ..Ed

  147. Andy says:

    Turns out even Microsoft get false positives from time to time… the latest Symantec definitions get a false positive on a 12 year old demo program from the classic Microsoft Press book “Programming Windows with MFC” by Jeff Prosise!

  148. Danilo says:

    Well, I tryed today to download ShellMenuView v1.15 as zip file.
    Immediately, at “unzip_to_folder” step, the Sophos AV installed in my machine recognized the executable (shmnview.exe) in the zip file as adware/PUA “NirSoft”, classified as “hacking instrument”, then quarantined it.

    Who/what should now I trust: the AV alert/the utilities author?
    Honestly, it’s nort an easy decision… (essere o non essere )

    (sorry for the poor english)
    Danilo / Rome (Italy)

  149. eric zaetsch says:

    I have a friend who owned a computer-communication services company. From OEM discs he installed Win XP and Office 2003. Years ago. I tried to load a Microsoft downloaded math module into it, got to the program point where it said insert the CD. I had none, so backed out of the program. After that, every time I tried to cut/paste plaintext from an editor or text from an HTML page, it restarted an “install” thing that had to be canceled twice before the cut paste happened. Needless to say, it made the product useless. I did some web reading and learned of the product code garbage, where a valid install [one Windows Update checks and likes] can become problematic. My friend had since sold the firm. By asking he had the new owner send a technician to my home, the “fix” being to use the current OEM Office install disc, and put Windows 2010 onto the box. Without leaving product key info. As with the first time. In searching for a key recovery software I encountered one highly rated that had a free version, and a paid upgrde. The free would not decode the Office 2010 key, and said purchase the upgrade. Another download, from an Indian firm, freeware, simply said it could not decode the Office 2010 key. Nirsoft Produkey was the third I discovered. It worked, I have key info securely stored. Great. In downloading Nirsoft I read a bit on the website. Current free Avast scan and current Malware Bytes both claimed infections – differently named, with naming seeming as creative as the pharmaceutical industry’s – but not saying it was serious. However Avast on the first quick-scan after downloading quarantined Produkey.exe and the archived install file. I had to restore them, and try to make sense out of two quarantined System Volume Information files [probably produced after the Nirsoft download-install]. I restored stuff, and then did directory scans with Malware Bytes and Clam. Clam said the Sys.Vol. files and Nirsoft were okay, infection free. Malware Bytes said Sys.Vol. okay, but noted Nirsoft.

    I post this in case others have not just Nirsoft noted as a ‘problem’ file, but also get Sys.Vol. files quarantined.

    User access to the Sys.Vol.Info. directory is blocked in my config of Windows XP [I do not know if this is generic] but the AV scanning programs can access it. However, when Avast quarantines a file you cannot get date created info in the UI of Avast, nor from Sys.Vol. Info – at least I could not. Hence I presume that the two Sys.Vol.Info files Avast noted, but Clam and Malware Bytes reported as not infected, were quarantined by Avast after the Produkey download-install.

    Any other users having a similar experience, or better troubleshooting knowledge, are asked to post, including the real-time AV or the scanning AV that is in use. Avast, I am reporting.

  150. Roger says:

    Downloaded iepv about a week ago, and Eset NOD32 is fine with it. On the other hand, get a PUP detection with Malwarebytes. Just told it to ignore the file, and all seems good.

    Thanks for the software, works well, does it’s job nicely.

  151. concerned_developer says:

    In order to provide ACCOUNTABILITY and TRANSPARENCY about this plague of both false positives, and now, the even more serious issue of mis-rated web sites, we have founded a CENTRAL REPOSITORY where false positives and mis-rated sites can be listed. Please see http://falsepositivereport.com .. This is a non-profit, open, community site dedicated to saving small businesses from this terrible plague, and making AV companies accountable for their actions.

    Further, consumers can see which security vendors CARE about this issue, and which don’t. Based on that, they can make their purchasing decision.

    This site just went up 1 day ago and has grown fast already … It is SO important to have a CENTRAL location so that everyone can see how bad this problem is.

  152. Nirav says:

    Why dont you create your own antivirus. I love nirsoft, and all your software are really great.

  153. Azeddine says:

    I think, regarding some Antivirus companies (AND OTHERS), that it is first of all a moral-ethical business related question. If the selling of a product mostly depends on and thrives on the fear a company instills in the consumer, if he or she does not have a particular product or the belief that thanks to said product you are safe, extending the practice to showing False Positive Alerts, as a mean to convince you that the product is worth having, then it is purely and simply a con artist business.

    I suggest that we consumers should do our part to force those companies that incur in such conduct that we do not accept False Positive Alerts. How? Simply contacting the company and telling it that it should add the product to their SAFE DATABASE, or issue a revue report telling why the product is UNSAFE.

  154. Ralphurion says:

    Sounds like it’s time to gather all the smaller devs up and launch a class action suit. This problem will not go away until someone does something to get the big av developpers to listen, litigation is usually good for that.

  155. Joep says:

    It is annoying as hell. Today (not the first time) dealing with Avira because the flag 2 of our download as ‘potentially’ dangerous. I only discover this because I am using Avira myself, but God only knows what the others are doing.

    This really hurts my small business and it really pisses me off big time!

    What also bothers me is that the owner of the website isn’t notified. Can be a week or longer before you find out that some ass-wipe virus scanner is flagging your software as malware etc..

  156. Robert K says:

    I’ve made a program in Autoit 3 to update my own Apps made in Autoit 3 too. But now my update app is detected by Kaspersky as Troyan Heur. The worst thing is that it deletes the file instantly so I can’t even take no action. Is there no standard way to program some kind of update program without being detected by the AV? This is annoying.

  157. Ryan R says:

    I am a very computer-oriented person. I’ve had my laptop for about a month now, maybe less, and there’s less than 10 GB left of my 1 TB hard drive. Within all that used space, I have thousands of programs, many of which I or my friends wrote. It is very annoying as a developer to write a program, and as soon as you save and exit, it gets deleted by my anti-virus. There goes 3 hours of hard labor. As a user, I’ve had to download the same programs over and over and over and over and over… and over again. Ugh… what a pain in the butt. Most of my programs include game-specific macros, or calculators. Many of my programs are keygens (how I have a $60/yr antivirus registered for 50 years). I have yet to see a clean keygen skate through the hoops of my antivirus software. Thankfully, I use sandboxie frequently, otherwise I’d have a virus that does make it past my antivirus that I downloaded expecting another keygen. Figures, right?

    If we could in some way get the antivirus companies to create a global whitelist, and work together to determine if the ‘false-positives’ are really false… hopefully we can minimize the hassle associated with false positives. I also know of a few programs that are intended to crypt other files into FUD (Fully UnDetectable) files, passing the worldwide antivirus test. These programs completely annihilate the antivirus software. It kinda makes me wonder why I even have an antivirus. Maybe when the antivirus companies give me more relief than hassle, I’ll stop jacking their products.

    Had to vent,
    Ryan R.

    P.S. Even though I am a pirate, and have lots of expensive programs free of charge, I do donate to the respective companies an amount that i believe to be fair for what the product offers. Microsoft word for example, a hundred dollar program. Sooooo not worth that. Media converting tools, like those offered by Prism, are not free of charge. I initially got them for free, but decided to donate $10 ($5 per program). So see, pirates aren’t as bad as the MPAA and RIAA make them out to be.

  158. Ken says:

    These false positive need to be addressed by the anti-virus companies. I needed this tool to get my licenses and to date I’ve had no ill effects. Norton and SuperAnti both gave it the okay but Malware Bytes had me worrying when I first ran it. Guess I won’t be licensing MalwareBytes if they are not going to follow up on their false positives.

  159. Dave says:

    Have had Microsoft Security Essentials on my PC for a while. Did a FULL file scan for the first time (the default is a weekly quick scan) and it detected IE PASSVIEW as a potential threat: HackTool:Win32/Passview

    MSE wants to remove or quarantine the file iepv.exe (which is still in your original zip file)

    I shall trust you and the other opinions on this website and treat it as a false positive.

  160. Snowed_In says:

    Wireless Network Watcher, just gave my AVG and Malwarebytes conniptions!!
    All my other Nirsoft apps have been OK.
    Previously I’ve had issues with Sysinternals, some GRC utilities and some custom built apps by developers in our workplace with CA products and more recently with Symantec…
    All with products we need to do our work!!

    Many Thanks and keep up the great work!

  161. Jerry says:

    If you don’t use a password manager you get to choose between the impossibility (for ordinary memories) of remembering the diversity/complexity of them required by meaningful security, or using the same well worn ones and compromising the reason for their existence. Therefore having a little program like this is a helpful option. After the download Webroot immediately placed it in quarantine, necessitating restoring it over security warnings. Having also recently added a secondary program for registry cleaning (with some functional overlaps with Webroot) I was glad to find that altho it too had flagged the new program – upon opening it – it also provided a choice to “add to exclusions” with a single click.
    Thanks for your efforts in making this available Nirsoft!

  162. luke says:

    We often need produkey. I like winprefetchview too (e.g.). To get the nirlauncher trough network and protect it from antivirus we zipped the folder with passwordprotection, deactivating av before unzipping it on targetmachine…
    avira, avast, mse, they all produce false positives. THX Nir!

  163. The Rover All Over says:

    My friend could not get his mail in Outlook Express kept asking for his password after his computer was fixed by an (so called) expert in a computer shop. My friend entered his right password but it did not work.
    I used Mail Passview v1.77 to find out his password and it reveled a different password a new one that the expert had changed it to. So you can not even trust people in Computer Shops.

    I scanned the program with Avast and it was clean no false positive.
    Malwarebytes reported that mailpv.exe file was infected with (PUP.MailPassView) so I put it in the ignore list.
    I tried it on my Thunderbird and it found my password in about 2 seconds.
    Best program for looking up lost passwords in email clients.

    Will try some of your other programs and then in the near future will donate.
    THX Nir

  164. Chaks says:

    McAfee antivirus gave me this false positve few months back when i was reviewing few of your tools.

    TechSmartLife

  165. John says:

    we can act by the BETTER way, worked many times: developpers, in your site, just add a text like that:
    “if you want to use this program, you must uninstall [antivirus name]” then send the url to the fucking antivirus company, to the commercial service, not tech. if any fucking commercial man of this shitty money drainers company see that, he will immediately ask his team to unbadword the program to stop potentially cash loss of users uninstalling antivirus

  166. Martin says:

    From about the late 1990’s to the first half of the last decade, I quarantined code that came from unsolicited spam e-mail attachments. One had actually enabled and used a dialer that was disabled by default in a win98 system. Norton antivirus, together with others at the time never reported such behaviour when I scanned these files for a report classification. A few years later in another continent I had these quarantined files backed up again to a new hard disk using a system that had Norton antivirus ‘police’ the transfer and it correctly identified the same file as containg a dialer. After blogging this, within hours, a pop up penetrated a completely unrelated and legitimately protected machine in a large company with USER name and password fields containing explicatives. Thanks again for keeping computing free. Wonderful utilities!

  167. Axel Rietschin says:

    Why not start by digitally signing the code, to show it’s authenticity and the fact it was not tampered with?

    Code signed with a cert issued by a trusted root CA goes a long way to reassure AV’s and end-users that the binary is legit and was not messed up with.

    Eventually your cert’s fingerprint will make its way into the major AV’s whitelist and the “problem” will go away.

    The assertion that code from large companies (like Microsoft) never gets false positive while small devs always do has A LOT to do with the fact that those companies signs their binaries and their installers, and that their code-signing certificate is trusted by all AV vendors.

  168. hipockets says:

    FYI —

    Microsoft Security Essentials reports MailPassView, PasswordFox, PassView, PassViewB, and NetPass “have potentially unwanted behaviour” with a medium alert level.

    “Preciate your site and your work! Many thanks !!

  169. pao says:

    From about the late 1990’s to the first half of the last decade, I quarantined code that came from unsolicited spam e-mail attachments. One had actually enabled and used a dialer that was disabled by default in a win98 system. Norton antivirus, together with others at the time never reported such behaviour when I scanned these files for a report classification. A few years later in another continent I had these quarantined files backed up again to a new hard disk using a system that had Norton antivirus ‘police’ the transfer and it correctly identified the same file as containg a dialer. After blogging this, within hours, a pop up penetrated a completely unrelated and legitimately protected machine in a large company with USER name and password fields containing explicatives. Thanks again for keeping computing free. Wonderful utilities

  170. Ankit says:

    What different antiviruses can’t do , small 2 MB , 10 MB softwares did in 2 seconds .

    For example –
    Hijack this spotted the malwares running in my computer where any other antivirus would require 1-2 hour for a full sys. scan .

  171. moon says:

    this is really sad that anti virus companies are treating developers like this. there must be some way to respond to their fascism. hard work of developers being detected as rogue is unfair. some antivirus companies like eset and websense reduse to fix the false positives.

  172. Joe says:

    well,
    many so called game cracks are INTENTIONALLY falsely identified as virus infected (or a malicious software) to make users who dont understand it do not use them.
    f.e. many game developers force you to go online (and then pay and pay and pay for playing a game you already paid for) by telling you they need it for copy protection reasons and then charge you money for DLC, no matter if you want it or not.

    here many players are happy that game crackers exist who create cracks (that everyone like me who owns the original cds has every right to use) that remove the need to go online and let you play the game offline.

    upon pressure by those (often big) game software companies the antivirus companies falsely identify those programs as being infected though they know that they are not.

    here we have a clear situation : this is CRIMINAL behaviour !

    and not only in such cases this slander or libel is criminal, since they are aware that what they identify as infected by a virsu is fe facto not infected.

    this is criminal behaviour of people who want their hands in your wallet.
    and in their view any program that protects your wallet IS A VIRUS and malicious and must be removed.

    lets face it : we are talking about criminals who belong behind bars, and nowhere else.

    what you can do meanwhile :
    do NOT buy from the big antivirus companies.
    look for freeware antivirus and firewall programs that let YOU define if you want a program to be
    called a virus or not.
    dont give your worthy money to those rotten companies, they dont deserve it.
    they deserve jail, not your money.

  173. sawan says:

    Greetings!

    with reference to some queries being generated by my management regarding Domain joining the ATM Machines with our existing Active Directory infrastructure and as well as to install the dedicated Anti Virus On ATM as well like Symantec / mcafee or Kaspersky; I totally deny such Ideas with some concerns but I need some solid Technical points in this regards,

    Can anyone help me out with his/her Expert opinion( advantages or drawbacks)?

  174. PC_Sec_Tec says:

    I regularly use AutoIt to bundle a number of tasks together and compile using UPX.
    At least once a month my antivirus quarantines all of my own scripts and removes the autoit dlls. This AV is in my opinion on of the best pay for antivirus (beggining with a K) but still i have to keep regular backups of my scripts and am forever having to reinstall my autoit dlls etc.

    The problem is that the AV companies primary role is to provide a layer of protection. They therefore prioritise the detection and removal of nasty code – understandably so – better to stop something bad and have a false positive.
    Its in thier financial interest to be over protective – they would rather block 1000 good programs than let 1 bad one in.

    I prefer it when AV reports / warns of possible rogue code rather than lock it down / prevent execution as was my case.

    Perhaps the large AV houses should have a ‘suspected virus’ warning, and at least add an automated ‘suspected false positive’ button within their software which reports back. At least this way it wouldnt be too long before updates would resolve the issue.

    Love the tools / site – keep the faith !

  175. seo says:

    I frequently use AutoIt to bundle a quantity of tasks jointly and compile employing UPX.

    A minimum of after a thirty day period my antivirus quarantines all of my personal scripts and removes the autoit dlls. This AV is in my opinion on of your very best shell out for antivirus (beggining with a K) but nonetheless i must preserve normal backups of my scripts and am permanently getting to reinstall my autoit dlls and so forth.

    The problem is the fact that the AV firms primary role is always to provide a layer of protection. They therefore prioritise the detection and removal of nasty code – understandably so – far better to avoid a thing negative and use a fake good.

    Its in thier economic attraction to become more than protective – they might rather prevent one thousand excellent systems than enable 1 poor one particular in.

    I choose it when AV reviews / warns of possible rogue code as opposed to lock it lower / stop execution as was my situation.

    Perhaps the significant AV houses must possess a ‘suspected virus’ warning, and no less than add an automatic ‘suspected untrue good’ button inside of their computer software which experiences back. No less than this way it wouldnt be very lengthy prior to updates would resolve the challenge.

    Love the resources / web page – maintain the faith

  176. Jake says:

    “your ProduKey is a Trojan, be ashamed !” — that’s a good one we hear a lot at my software company too, only it’s always in reference to the free updates we provide to the software. It never happens when we CHARGE for an upgrade, mind you. Oh well.

  177. aletsan says:

    I am constantly using your utils for soooo many years, way back from the dial up days.
    Dialupass was working overtime those good old days … 🙂
    They never failed to give results and have saved countless people and companies that had problems.
    Fast and to the point, I always liked this !
    I have used almost all your utils for various reasons, they never failed to give results, little bugs (even big bugs) don’t count, I myself develop software part time and know how real life is.

    People that know how to really monitor the behavior of an app don’t really care about what worthless security apps say anyway.
    Me and my circle of colleagues/friends tested and decided about your utils long ago, and never regretted our decision. We use them, we spread them, they always perform fast and true.

    Now that I think about it I haven’t really checked your utils for more than 5 years, but I’ve never seen an unusual alert from using them, so I see no point any more.

    Don’t listen to what simple users say, and don’t loose your sleep about it.
    Knowledge is lost faster and faster these days, and common sense is close behind.

    People forget too easy that big (and not so big also) software companies care about profits first. User’s opinions, wishes, demands, and finally security are usually at the bottom line.

  178. Thomas T. says:

    Ya antivirus companys do that alot these days. But I have no problem I don’t run any antivirus software at all. I do run the only MS OS that was completely imune to 32 bit virus’s and root kits. Windows XP 64. Though I hate that most companys like game company wont support this OS. Also hate the way People think you should run windows bloatware 7. I’m sorry but the way XP 64 handles memory with 32 gigs of ram is much better then any MS OS since vista. I use XP 64 at work where i fix computers and plug in drives all the time infected to clean out there systems Yet XP 64 doesn’t get infected. Funny how that works huh!? MS make a OS that stable as a rock and they remove it from market because the antivirus companys could not make profit from it.

    Greed is the reason why OS’s from MS are not secure period.

    In windows 7 32 bit apps can only address 4 GB ram in XP 64 they can address up to 10 gigs of ram I know because I had to convert some old quickbooks databases once and in Windows 7 64 bit it ran out of memory in less then an hour. Also When I boot up XP64 its only using 200 megs of memory. WIndows 7 needs 1.2 gigs of memory to boot and thats with nothing running.

    Also can someone please explain to me why Windows 7 64 bit can use all 32 gigs of my ram just to talk to a friend on msn for couple of hours and have no free memory left. And XP 64 can do the same thing for 2 to 3 hours and still have only 250 megs of memory in use.

  179. Guest says:

    We *DEFINITELY* care about “false positives”. Not sure why you think we don’t. We have always tried to reduce the number of “false positives” down to 0. But that’s just not possible. Never will be possible.

    It’s had enough to track 100,000s of viruses… let alone 100,000s of “near viruses”, too.

    Our users can *ALWAYS* allow or disallow “false positives” themselves.

    Also, you can always publish your MDA5 codes on your website. If the user sees that it matches his download… he knows he has a copy that has never been tempered with.

  180. Doc says:

    I write and collate reviews on software for a site I Moderate. I must say that not only is your software (if downloaded from your site) is 100% virus/Trojan free.

    False positives abound, and so do malicious notifiers (especially since your software can really help recover a computer from the hands of hackers). Too often, “This way we’re covered from lawsuits” thinking prevails over intellectual honesty. Also, one shouldn’t believe all one reads on the net or what security software is programmed to say. That’s just being lazy.

    I’m sure you’ve thought of this already, but perhaps having really respected people in IT and Security review your products and publishing them would help attain your goal?

    I hope this can be overcome, since your tools are simply great. Martin Brinkmann of gHacks.com concurrs, as he and any right minded professional should.

    There’s only one way around this problem: Put together a team and develop your own Anti-viral – I’m betting you could do a better job on it than the ones out there. It won’t be an easy task, but I truly think you’re talented enough to do the job.

    In summary sir, I have endless respect for your efforts and encourage others to use your software and post about its reliability.

  181. Raju says:

    Hi,I needed to recover my product key for MS Office 2010 recently as I had lost the key.
    I used another product key find utility and this gave me an incorrect key where when I entered (copied and paste)at installation it said that it was not a valid office key.
    I then searched internet again and came across your Produkey.Tried it and it worked 100%.No problem at installation.Got activated without any hassle.Your product key was different to the one the other utility gave.

    Great product.Saved my day and some money.

    Thanks for your efforts.Well done.Much appreciated.

  182. Nicole says:

    Hi, thanks for your article. I am developing programs for companies, who need a special application for their needs or their customers. In the last years false positives became a big issue and I feel totally threatened by it. Your customer just wants a smoothly running app, and no trouble with av or your software. In my case I experienced this wall of ignorance of the av companies. And there are other issues too. For example, I made an application which can be started right from CD, no installation needed. You don’t need to be a false positive to get into trouble. In my case you will start the exe-file and than there is a long period off time, where nothing happens. The user thinks, that the software is not working well. If you wait long enough the software will start and work. It so frustrating, you spend a big amount of time in programming to take care of a good performance of your application and than you are ending up with those problems. The end user or the customer company can’t be okay with this, and you can’t fix the problem. That’s so bad. I don’t think that developing independent av software is the only solution, because there will be still a lot of av applications on the market. Only thing would be, that there would be a worldwide central made from developers for developers, which checks the software you send in and declares it. If there would be security issues to be solved, this institution would have to be developer supportive, means: giving feedback, what have to be done to fix the problem. All of this would have to be a fast and transparent process. If you get whitelisted you are in a database which all av-programs can use. After that you would have to make enough pressure (with all the developers together) that the av companies have to whitelist the developers who are joining this institution. I think such an institution would have to be working with a system, where the swarm of participating developers has to be used to help checking the software which has to be testified. Something like that. Just dreaming. But if everybody is trying to solve this alone, there is no chance.

  183. shailen says:

    This article really reflects the reality. Small developers to gain time or for test purposes like to use open source program, for example, and the policy of the firewall or anti-virus that have been setup to control or protect the whole network (intranet) is a real barrier. Even downloading .exe files are not authorized and if ever you have a CD or DVD, you will always get an alert saying that you dont have permission to run or install the software. You need to see the Network Administrator, who is more crazy than the Firewall or Anit-virus.

  184. Best Free VPN says:

    This is really true. and it is really hard for small developers if their program is detected as virus. Most users dont even care of the developer’s explanation. Once your application was detected by their anti-virus then they wont even bother for your application so it is another client you’ve lost. Anti-viruse companies should have a clear and easy way to report false positives and they should take action on this reports immediately.

  185. Artem says:

    Only Kaspersky tells about no viruses in mailpv.exe: “not-a-virus:PSWTool.Win32.MailPassView.lm”.

  186. Paul J. Richardson says:

    I’ve been using NirSoft at LEAST as long as I’ve been using SysInternals tools (many years, before they sold out to M$) — for legitimate purposes only.

    It drives me MADD as hell, but I’m here to tell you that those MORONS over at Comodo are flagging nearly every single product by NirSoft and it’s hard as hell to figure out how to get it to stop.

    I’m using Comodo Firewall 5.9.22blahblah with all available updates, and from day 1, it’s given me absolute HELL with Nirsoft.

    And don’t even get me started with AVG. I’m a totally sold out fan of NirSoft, and I’ve been using AVG for at least 5 years, but now I’m seriously considering switching to something else now, for the EXCLUSIVE REASON that I can’t get it to white-list ALL my NirSoft products (I’m using NirLauncher, fully decked out).

    So, can anyone here, PLEASE recommend an antivirus program that I can easily white-list all my Nirsoft executable s with? (hopefully, with a free license level?)

    Thank you,
    Paul

  187. Kristen Tande says:

    I am not alone here I see 🙂
    Right now my webhost is closing down my site reasoned a program file they claim has virus in it. I have tried to reason with them for å long time, but obviously i have stepped on some toes in the process. They just dont want to check the file themselves with other antivirusprograms than the one they use (Panda). As far as i can see one of the best out there is Kaspersky. Personally i use Kasparsky, AVG and Malwarebyte as standard. I am a developer and do not want crap on my pc. None of those programs show any virus infection. Just the PE Pack part.
    What i am most concerned about is that the web host company is so reluctant to see that something as a False Positive actually is pretty wellknown. Are they blind and deaf, or just plain stupid?
    The company i am talking about is http://www.nordichosting.com and i urge all of you to keep away from this firm and their policy as is as follows: Whenever we want to we can close down a site if we think there may be a problem with a file etc. No matter what most antivirus program tells us. The file i was accused of having a virus had been on the site nearly 8 months before i got the message about it containing a virus. At first they closed my site so i could not check the file myself. Yesterday they did let me in to get the file and guess what…..
    No virus whatsoever. Still they dont want to take any actions to test it themselves, just a short message that the site will be closed within one hour if i dont remove the virus. This is something i can not do cause there is NO virus to be removed.
    Anyone of you know about the legal part of this?

  188. Matthew says:

    i have just started game programming and have been using visual studio. when i try to run just a simple game over screen i get a potentially harmful hack tool alert from AVG

  189. Yasir says:

    it’s really looks like a joke some AV reports clean and some AV reports Trojan spyware etc… but i don’t think we really need a AV every time… in my experience never use a free AV they have mostly fake alert issue. kaspersky is really good and tolerate these type of programs & cracks but detects when really need…

  190. Yogibbbear says:

    Have just run a scan using SuperAntiSpyware which picked up NirsoftLauncher was infected with Trojan.Agent/Gen-NetPass.
    Funny thing was I have been running an earlier version of NirsoftLauncher which SuperAntiSpyware has never found Trojans in. However I took you advice and have submitted a False Positive Report to them.
    Will be interesting to see what they come back with and how long. Hoping that this will be rectified in a new update shortly. Also will continue to use this latest version
    I might add that Malwarebytes Antimalware gave it the all clear.

  191. boing says:

    “Antivirus is essential tool that most people need to protect their Windows operating system from Viruses, Trojans, and other bad stuff.”

    should have read:

    Antivirus is a recommended tool for people that want to protect their Mac or Windows operating system from Viruses, Trojans, and other bad stuff.

    OR simply say, “to protect their operating system”, since ALL operating systems are potential targets of malware. Especially better known operating systems. Since Macs have become slightly more popular due to sheep (yes, sheep), buying more of them because of the popularity of ipods, iphones etc, OSX has seen the expected, proportional rise in malware. Anyone who doubts this, search for MacDefender, or Mac FlashBack or “Help my Mac has a virus!”. If you still don’t think so, you just have steve jobs too far up your behind to understand, are likley under 30, or have the maturity level of a teenager etc.

  192. boing says:

    @Morgan, “I even think to go aways from windows utilities development and go to Mac, since Mac is not that populated with antivirus crap yet. ”

    I feel your pain since I too am a developer, and have worked on multiple platforms, including Mac, Windows, Atari, Xbox, gameboy, etc. However, that kind of thinking only leads more people to use Macs, which most of, have the false belief that the machines are impervious or nearly impervious, when the are basically a ticking time bomb with horrible security despite unix lovers believing in fantasies sprinkled around the web about how they can’t be hacked. Point is, once a way is found (and it has been), they continue to hack away. If people believe in the silly idea that somehow apple programmers are better and “magic” than programmers at other companies, then it has already been proven a fallacy. Iphone is also created by apple and it’s programmers, and it’s mega popular now. If it were something to do with apples “wonderful” programmers (Who are only human and many who have worked at Microsoft and vice versa), you wouldn’t read about so many security breeches on the phone. Britney Spears, and many other celebrities personal photos were passed around the web from her iphone due to this. And guess why she bought an iphone. It’s not because she has a doctorate in computer science. It’s because it’s the most popular fad, and people basically told her. The GPS, tracking each person, stored in an unprotected file, and then sent back to apple 2X a day, location hack is another.. I could go on..

    Point is your last word, “yet”, is the problem. Hey, let’s go here because it’s not ruined with malware yet! It’s kind of like saying, ” We are running out of gas, so Step on it. Drive faster to that gas station before we run out of gas!” It DOES NOT WORK. Making apple popular has always been a waste of time. True scientific minds and true techies understand what I’m talking about. The big hoopla and praise for apple has been the fantasy that it’s going to be malware free. But it never has, never been and getting worse as popularity rises. The next big thing is it is supposedly cutting edge technology. How can that be when I bought an i7 based PC that renders video editing projects (something a mac should be great at), nearly TWO YEARS before apple introduced the i7 to it’s lineup? And then they charged $1300 more for it at $1999, just for apple fans to get away from lousy core2duo tech. Apples phones are not ahead of all the other either. Counting apps doesn’t cut it. Sorry. Beyond 30,000 great apps, that’s enough. And historically apple fans have always said that just because windows had more apps it didn’t matter to them, so they shot their own foot with that logic. The over heating ipad2 isn’t that great. Let me break it down. A tablet IS nothing more than a LAPTOP without a keyboard and touch screen added to the screen. It’s pretty, but fragile and clumsy to operate on more complex programs that really need a keyboard. And there are lots of laptops out there where you can pull the screen out and they turn into tablets. So, this going to apple thing, is nonsensical as in the end, it will just be another place to distribute malware, as it’s already happening..

    As for AntiVirus and their false reports, and flagging dozens of objects as “Potentially harmful”, and counting every last tracking cookie, they are IDIOTS for doing this! Why? Because it not only scares the user, confuses them, makes more work for them, but they do it because they want to look good.. As in, “See mommy! I found some more for you. Can I have a cookie now?”. It also makes windows look far worse than it is by exaggerating the situation by counting all these false positives that aren’t anything major. If you simply did this on a mac. That is counted all the tracking cookies and so on. It’s report would come up with probably saying something like, “Infected with 58 infected objects!”. I’ve found that most reports are not reports of real malware or viruses in windows, but instead a show-off scanner. I just click, “Yes, fix it” and watch it erase a few tracking cookies. Anyway. The entire issue with Antivirus companies competing with each other to show who can pee the furthest, or should I say, Who can count up the most object is a disgusting waste of time.

  193. boing says:

    A couple corrections. I say $1300 more. I’m comparing it to the fact that they wanted $1999, when I could buy still a more powerful version of the i7 setup for $700 on PC. And this is true. Sure there are terrible PC’s. But the choice is there for someone to shop around and buy a good one. — Next correction, “Infected with 58 infected objects”, lol. redundant, but it wouldn’t surprise me to see that. Point is 58 that likely point to innocuous things like tracking cookies, or “potentially” dangerous temp files etc.

  194. Kal says:

    I’ve had a frustrating time trying to develop programs lately due to the fact that the new antivirus software I got keeps on “Sandboxing” either the tools I use develop or the applications I write. For example I use Cygwin and GCC/G++ to develope C++ applications and the antivirus doesn’t recognize any of the tools that I use so it sandboxes every thing then when my application is finally built it sandboxes that too. It has gotten to be a real pain.

  195. William says:

    Guess free antivirus might get something profitable on users, like profiling them (have noticed, for instace, related with AVG outgoing traffic when running WMP), so it might be coherent paid versions detecting same false positives. Now I’m using AV just for on-demmand scans (although my favorite scanner is Malwarebytes, not regarded as one of them), have three actually reliable out-of-the-browser HIPS running fine together, more the in-the-broser ultimate firewall called NoScript. Maybe some of you nice programs happen to scare these people, the WhoisThisDomain app was awarded by Trendmicro and Sophos ar virustotal, perhaps the problem is firewalls can block phone calls?

  196. Gabriel Sartori says:

    I have this same problem.
    Much users analyze it on virustotal, and the Updater.exe is acused by 9 antivirus.
    It is really sad, because one thing I did and spent time to build to make user’s life better, now is waste of time because I needed to remove it from my software installer :/
    And even removing, some DLLs are still acusing as viruses.

    I hate nowadays Antivirs

  197. mukesh says:

    Nirsoft provides goods software which cant contain any harmful virus or spyware. it helps the common public to solve their problem without purchasing costly softwares for little work . I use password recovery because most of time my firefox / crome password recovery fails. some times they are affected by virues. i cant use my auto password. so i retrive my password through this software.

    I suggest people this site placed utilities software for your use. I am using this site for last 15 years…

  198. Josh says:

    I’ve had multiple issues with my spyware and antivirus software classifying the programs I use to run
    http://www.mehreganmashin.com/ as viruses. It seems like any program that tries to make multiple connections without some sort of user interaction is “automatically” a virus now….

  199. Tkik says:

    I have exactly the same experience. I have developed a rss reader which is downloadable through our website. The setup is packed with upx for saving bandwith. Since years we again and again have to tell AV companies that our software neither is a backdoor nor contains any virus.
    What we need is to collectively sue those av corps for compensations,
    so that a false positive will be really expensive for the AV corps.
    Now, they just dont care as there is no negative consequence fir them.

  200. Raghu Veer says:

    1) publishing the md5 and sha1 checksum of each file by each developer is good
    2) code signing your applications and installers using an Authtenticode key which many ssl companies offer. Comodo, thawte and others like Verisign.

    Comodo code signing certificate is among the economical options even though it offers Microsoft Authenticode based certificates only as per their websites

    http://www.thawte.com/code-signing/index.html
    http://www.instantssl.com/code-signing/index.html (instantssl is comodo brand)

    3) working with AV-Comparitives ( http://www.av-comparatives.org/ ), virustotal.com etc may help reach antivirus companies as a group kind of.

    =====
    I am long back suggested by a cryptographic software developer to issue signed software from our website (we being a software download website) as part of enhancing trust upon downloads offered through our website

    minimum I have clamav antivirus software to scan the software before uploading files to the server. (I use eset and avast occasionally before uploading to server)

    just some thoughts

    thank you

  201. DJ says:

    Wat remover was considered a virus by Norton antivirus 2012 =/ but gave me the option if i wanted to remove it or not so im not too upset.

  202. J7N says:

    Having an anti-virus company decide what software is allowed to run on *my* computer is unacceptable. As has correctly been pointed out, most antiviruses don’t really explain the character of their findings and present the user any choice, because an educated computer operator is potentially a lost customer, while an increased number of virus detections might lead users to believe that their product is better and increase sales.

    Any automatic protection that patches into the operating system will thus increase its complexity and break in unexpected cases, as it attempts to stop the execution of software while performing its scanning, even if they do not involve any detectable malware at all. Software which cannot be stopped may crash, and memory leaks may occur, leading to instability, which is usually blamed on the OS itself.

    For these reasons the best choice is not to use any automatic anti-virus at all. Suspicious tools may be scanned using web services such as Jotti.org, where the output of a number of scanners will be returned, and may be *compared*. If two or more of them say “joke”, “not-a-virus”, then you can be reasonably certain the file is legit. In other cases one or two, usually no more, scanners will identify the *purpose* of the tool, such as “keygen”, “backdoor”, or “ircbot”. Only in such cases you can be sure on what it is.

    http://virusscan.jotti.org/en

  203. Brett says:

    I really appreciate this post. A friend of mine complained to an antivirus company for detecting his gaming software as a virus. He used all his might to potentially change the detection by having sections for frequently ask questions and forums but no luck. Certainly, false positives are killing small-time developers.

  204. Paul says:

    Hooray for ESET Nod32 v5 – doesn’t report false positives for mailpv, wirelesskeyview, dialupass, pstpassword – unlike McAfee, which wiped dialupass off my thumb drive today, to my considerable inconvenience.

  205. XILO says:

    I use System care pro 6 with antivirus 2013 utility it has an option “add to whitelist” this causes exe file to be used any time without any problems and it there when you need it soo i can advise to use this protecting software in order to use your favourite tools

  206. Mr Malware says:

    I write my own malware to steal peoples details, i use a crypter on the program to make it undetectable from 36 different anti-virus companies. once my program gets onto the target machine; be it via an exploit pack on a hacked web site or by attaching it onto a pirated program; my fully undetected code sails past any anti-virus program installed and set itself up, blocking ay future updates that the antivirus will carry out and in many cases disable many of the security features it provides.

    now with this false hope that the user has that they are protected from threats i can go about silently carrying out denial of service attacks, send out spam and steal all manner of details stored on your computer, and you will never know i did it.

    don’t put your hopes in an antivirus program as most of the time they wont protect you from any real and serious threat and will only serve to scare you and hinder the smaller developer. remember every major virus outbreak that infected thousands of computers and crippled business also infected machines that had up to date anti virus software.

    of course i could be lying about it all :o)

  207. Dr. Bytes says:

    All true malware writers have access to all the AV software anyways, and of course, they test their exploits on machines with these AV packages installed on them. Most of the big company AV packages are designed for one thing only, and that is to increase the revenue of the big company, NOT to detect actual virii.

    Proper security is in knowledge, which, unfortunately, most people do not have the time to learn, and there is no test before turning on a computer (at least you need a license to drive).

    On a side note, under Windows 7 SP1, Microsoft Security Essentials did not hinder or pop-up anything when I used multiple applications from your site (THANK-YOU FOR THE FREE SOFTWARE!! — I am in your debt!). Now, MS SE is free as well, for people running any legitimate Windows OS (XP or newer). They make their money elsewhere so do not have to add false positives to boost their “detection rate”.

  208. Sean says:

    Let me just say: These products are legitimate, serve an important purpose and what’s better is they do it all for FREE!

    Dr. Bytes: MSE now detects this as a hacktool and attempts to quarantine, but, it does automatically do it, unlike TREND (USELESS AS FUCK MICRO) TITANIUM which:

    Prevented me landing at NIRSoft (redirects to a warning page, only link closes browser)
    Prevented Mailpassview being run, installed, on media attached to the PC
    Prevented Produkey ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ”

    On a professional note, your tool is excellent and I will continue to use it as long as you continue to publish it: I’m part of that 99.9% of people that use this key as it is designed: to recover passwords for clients and help restore mail and Windows programs. It has never caused me to feel uneasy, it is published with one objective: to be used, which makes it perfect because the program is designed to simply work, not to make money, not to make you use it often and not to deceive you or monitor you, it is designed and implemented in a way that should be reflective of the entire software industry but is, unfortunately, only a small movement within it.

    On a personal note, I was Dremelling my case to make reservoir space and stripped the thing down (took my Windows sticker off, put it somewhere ‘safe’) and lost my 7 Ult. PKC – instead of having to turn to piracy because Windows will sit there and be nothing but utter cunts about re-issuing a key without COA (or even with it 99.9% of the time) so Daz’s Windows Loader became the obvious choice until I was put onto your product.

    Thanks to the support NIRSoft provide with these tools (as opposed to the lack of support that Microsoft with-hold or attempt to make you pay for) I was able to:

    Avoid 30 – 60 minutes on the phone to India
    Not have to spend ~$200 for a new Ult. PKC
    Run the program, once, without needing an installer, a toolbar or any partner products and retrieve everything I needed prior to reformatting my PC.
    Not have to operate my BOUGHT copy of Windows illegally via a loader and thus may maintain updates etc. more efficiently
    NIRSoft is a picture of everything right with the software industry and their experiences are but a small stain on the otherwise festering and rancid software industry.

    Please keep doing what you are doing, if everyone in the world gets what’s coming to them I think you are due much good Karma NIRSoft!

    Much respect and many well-wishes for the future.

  209. Dr. Alec says:

    Yes I am a small business that has poor ability to function because of false positives. I believe that what virus companies are doing is really illegal. They have permission to put a sign in front of your business that says do not go in this store as it is infected without any knowledge of the store content. If your file is a .exe it is immediately blocked. They make it difficult and often impossible for you to report your case to them. There should be a law that they all must provide any small business a way to get their compiled .exe software easily approved.

  210. John T. Nicholson says:

    Xilo,

    I too have noticed the “whitelist” feature for your known exe files. It would be nice if the coding community began to apply pressure on the big boy anti-virus companies. What is the world coming to when 10% of the apps on Sourceforge generate false positives.

  211. John Phillips says:

    We have a lot of issues with false positives when it comes to our software, especially from Norton and McAfee. I just don’t understand why there cannot be a safelist that one can be added to to avoid these issues.

  212. Graham Martin says:

    I, too, want to use this useful tool that is recommended by IT professionals everywhere, but my McAfee vrisu software won’t let me. Now I have to go through the trouble of disabling that software before I can use this tool!

  213. Abdel says:

    Strange if you ask but i never install anti-virus or 3rd parties security suites and never had any issues until today when running windows 8 essential securities. Today i installed a legitimate program and it went to delete an addon claiming it was a virus when it was not. i know because the add on is mine. shame on these people who lie in order to sell. The good news is that i can fix problems but others may not be able to

  214. Adrian says:

    Ironically, since this post (as well as the whole domain, I suspect) is blocked by Trend Micro, I had to use an obscure anonymizer (since the known ones are also blocked) in order to read about antivirus companies’ abusive practices…

  215. bazem says:

    Hello, I just used PstPassword and Comodo gave me some alerts. What I like in Comodo is that you can see what it is blocking and you are able to block or not block each one of the requests, and add the program to a safelist.
    The thing is, after I open the program and click Select PST File, I get the following alerts:

    1 – “PstPassword.exe is trying to access explorer.exe in memory.”
    That’s ok, the application is trying to use explorer.exe so I can browse and select the PST file I want. Comodo always warn me about this in many programs I run the first time, and I think most antivirus don’t give alerts about this.

    2 – “PstPassword.exe is trying to install global hook dwmapi.dll. A global hook is a Windows feature which allows applications such as media players, keyboard enhancement programs etc. to inject executable files (e.g. .dll files) into other applications for various purposes. But this is also commonly exploited by malware programs for keylogging, screen capturing or controlling legitimate applications. If PstPassword.exe is one of your everyday applications, then you can safely allow this request.”
    I got a bit confused with this one, so I decided to block it. After this I could go ahead browsing the folders without problem (for some seconds).

    3 – “PstPassword.exe is trying to access a protected COM interface. PstPassword.exe could not be recognized and it is about to access the protected COM interface C:\Windows\System32\SearchIndexer.exe. If PstPassword.exe is one of your everyday applications, you can allow this request.”
    I can understand that it may use the search indexer for some reason but decided to block it, just to test.

    4 – “PstPassword.exe is trying to modify a protected registry key. PstPassword.exe could not be recognized and it is about to modify the protected registry key HKLM\SYSTEM\ControlSet001\Control\Class. You must make sure PstPassword.exe is a safe application before allowing this request.”
    I didn’t understand why such application should modify a registry key, if it would only read a PST file, so I blocked it.

    After all this I could select the PST file, see the passwords and save them as a txt file, without any problem.
    So, what I suggest is that you remove these access requests for changing the registry, using dwmapi.dll or the search indexer, because apparently it is not needed. Removing that would reduce the false positives, I think. And I take the opportunity to ask you: why are these permissions needed for the program to run?
    Thanx!

  216. NirSoft says:

    Hi bazem,

    It seems that you still don’t understand the meaning of “False Alerts”.

    As opposed to what you think, my PstPassword utility doesn’t do the actions mentioned by your Comodo Antivirus. All 4 alerts that you specified are simply a lie.

    You’re welcomed to request explanations about that from Comodo…

  217. bazem says:

    Oh, that’s a surprise, I really trusted that thing.
    That is exactly what I’m going to do, thank you!

  218. Another Small Business says:

    Yeah, this happens to my software company too. It’s really annoying because customers blame us instead of the Anti-virus company for the false positive.

    Honestly, our next products are either going to be web based, phone based, or Mac based for this exact reason.

  219. Blugecko says:

    I too am a small developer that distribute my apps globally but to corporate franchises.

    I have a Microsoft® Authenticode® Certificate from Thawte which was “supposed” to prevent this type of thing, and for many years it did just that…until a month or so ago.

    Unfortunately it seems to me that the only anti-virus who “plays nicely” is AVG and Norton/Symantec AV (Not 360) – never had any issues with them yet Microsoft Security Essentials, Kapersky and most others report suspicious activity or simply blocks communication with the centralised data server causing connection errors without even alerting the user or asking them to allow or deny the activity. I spend hours on support queries simply fielding these types of calls and then the customer thinks its my software that has a flaw in it and cannot see why they should pay for my time in sorting it out. Severe loss of revenue for a small company.

    While I applaud their efforts to combat viruses and malware, I would like a better process of detection, alert and an opportunity to submit apps easily if this happens.

  220. Trisha says:

    I have seen many times that a simple and safe program compiled with GNU C/C++ Compiler is detected as malware. But same source code compiled with Microsoft VC++ compiler is not detected as malware. I recently made a simple program with GCC and checked on VirusTotal and found 9 detections. However, after a month I checked again on VirusTotal, the program false positives were removed except 1.

  221. Jeremy says:

    As an IT Sysadmin I lost a job because of false positives detected in many of my tools. Was probably a good indicator that I should not be working for such ignorant dictators in the first place. All’s well that ends well. I cannot imagine the damage this causes small developers! AV products need to focus on this!

  222. Morgan says:

    My group have recently started publicly a demo of our latest project. It’s written in C# and uses a very simple launcher to do a version check and update if necessary. Deciding to run a scan for a sense of authenticity, I ran both the client and launcher binaries through VirusTotal.

    I almost fell out of my seat when “Ikarus” reported the use of MSIL (Now CIL) as a virus signature.

  223. Gordon Graham says:

    IEPV is an excellent tool which I am so thankful to have come across. Having used it successfully to recover my own passwords, and there being no adverse effect from having it on my computer (executable, not resident) for many months, I was surprised when Hitman Pro detected it for quarantine after a scan this morning (the file hadn’t changed but evidently their “definitions” were updated to classify it as malware. Glad I found this post, and that Hitman pro allows restore from quarantine. I am an I T guy and will bear witness to this understanding. Thank you.

  224. an it department in Greece says:

    Out of appriciation for the work done by Nir Sofer, out of curiosity and who knows, maybe it is usefull somewhere, somehow, sometime, I decided to protocol what happened.
    It is not an MSE tutorial (if you read this, you know your way in AntiVirus programs), nor criticism or endorsement of MSE (this is not the place for that).

    Attempting to download IE PassView iepv.exe version 1.30.

    Using a fully updated MS Security essentials (scheduled definition updates 3 times per day) and application/client/engine updates as offered by Windows update/WSUS

    Security Essentials Version: 4.0.1526.0
    Antimalware Client Version: 4.0.1526.0
    Engine Version: 1.1.9402.0
    Antivirus definition: 1.149.1718.0
    Antispyware definition: 1.149.1718.0

    (Note that there is a newer SE/AWC 4.2.223 downloadable, which, as far as I have seen has not been offered for automatic updates)

    reports when trying to download with IE 8 from wxp sp3
    ‘this download has been reported as unsafe’

    I have
    1) clicked on ‘report that this download is safe’
    which redirects to ‘https://feedback.smartscreen.microsoft.com/feedback.aspx’
    where I selected ‘I think this is a safe website’
    will this help ?????????????

    2) clicked on ‘disregard and download unsafe (not recommended)’
    after download, MSE popped up ‘Security Essentials detected a potential threat and suspended it’
    ‘Click Clean PC to remove this threat.

    I clicked show details
    Only option is to quarantaine
    MSE shows ‘your actions were applied successfully’
    BUT in details :
    Security Essentials encountered the following error: Error code 0x80070020. The process cannot access the file because it is being used by another process.

    Category: Trojan

    Description: This program is dangerous and executes commands from an attacker.

    Recommended action: Remove this software immediately.

    Items:
    containerfile:\\x\download on x\nirsoft.net\iepv130.zip
    file:\\x\download on x\nirsoft.net\iepv130.zip->iepv.exe
    webfile:\\x\download on x\nirsoft.net\iepv130.zip|http://www.nirsoft.net/utils/iepv.zip

    click on details
    Encyclopedia entry
    Updated: Mar 12, 2013 | Published: Dec 18, 2007

    Aliases
    Not available

    Alert Level (?)
    Severe

    Antimalware protection details
    Microsoft recommends that you download the latest definitions to get protected.
    Detection last updated:
    Definition: 1.149.1754.0
    Released: May 11, 2013 Detection initially created:
    Definition: 1.45.287.0
    Released: Oct 07, 2008

    Note that between today 07:00 and 15:00 the definition file build version has gone from 1.149.1718.0
    to 1.149.1754.0

    Now to the main MSE application to remove the file from quarantaine (history tab)
    It is not there, the .zip file was downloaded in the selected place
    Unzip, again an MSE popup
    remove from quarantaine, again popup, etc etc until you exclude the file in this location or update an older version, in an already excluded location.

    Signing off, good luck and thank you.

  225. freundblase says:

    In my WPF application i placed a password for my database file in the app.config for encryption purpose (not everyone can open my database). When i try to access the ConnectionStringsSection where the password is placed in code, Kaspersky warns that my exe tries to access the protected password storage. So basically im not allowed to access my own app.config.

  226. marco says:

    Italian: Anche a me è capitato di avere un blocco dal sistema antivirus, ho pensato che il programma fosse libero da virus: per usarlo, ho momentaneamente disabilitato l’antivirus.
    Ho anche io inviato una mail indicando il tipo di errore e che mi sembrava strano.
    Mi capita spesso di trovare programmi “legittimi” bloccati dall’antivirus.
    E, da ex-programmatore, capisco la frustrazione di chi fa queste ottime utility che sono poi bloccate e fatte passare come negative e dannose.
    Non fatevi imbrogliare: gli antivirus non sono infallibili.

    English (sorry for my errors): I also happened to have a block from the antivirus system, I thought that the program was free from viruses: to use it, I have temporarily disabled the antivirus.
    I also have sent an email indicating the type of error and that seemed strange to me.
    I often find programs “legitimate” blocked by the antivirus.
    And, by ex-programmer, I understand the frustration of those who make these great utilities that are then blocked and passed off as negative and harmful.
    Do not be fooled: the virus are not infallible.

  227. David says:

    I had a similar problem, my software was classified as trojan the antivirus companies really need to figure out a better way of deciphering between safe and not safer software.

  228. Jackie McBride says:

    Malwarebytes detected a false positive in a screenreading program for blind people called “system access”, causing 1 of my clients to lose his computer’s speech. Rather like you trying to use your computer w/o a monitor. Nice!

  229. Gilbamesh says:

    Yesterday I downloaded DriverViewPortable from from The Portable Freeware Collection, and at home my Avira found nothing wrong with it.
    Now on the lab computer my Sophos claims it contains ‘Adware/PUA’, allegedly a hacking tool, and sticks to it also with the .rar I just test-downloaded from NirSoft a few minutes ago.
    Lamentably I’m supposed to do some sensible work here rather than playing with downloaded stuff, thus I’m not at liberty to extend the analysis any further, but I don’t think I need it.
    I’m pretty sure it’s a false positive, and you mentioning the matter yourself on your site plays on your side. Moreover what you wrote in your article is nearly the same I would, were I in your shoes.

    Besides, after a number of scorching contacts with antivirus companies I’ve learned to detest them heartily – the best they seem to be able to do is ignoring the (paying) customer, although occasionally they prove quite capable of treating him like an idiot.

    In many countries one has to wonder several times a day whether the police are really better than the brigands…

  230. BUDA20 says:

    My tool GameCompanion for Games has this issue, I make this entry here just to let the users of the App know, they need to upload the program zip to their AV pages, and let them know they think is a false positive.
    Regards.

  231. Benedict Pokoo says:

    almost all my native installers have been flaged as Malwares. especially “Trend Micro houscall” and the annoying “jiaggain antivirus”.

  232. Thai says:

    I am an IT contractor and work independently for myself. Most of the time I need to find tools are either FREE or bear a SMALL COST. I am so grateful to find Nirsoft offered a lot of FREE tools for users like me. 9 out of 10 people don’t remember their email passwords or ISP configurations and I constantly use these Nirsoft Utils to help them out and upgrade their systems. I think those AV companies have no sense of Customer Service these days as their intentions are making SALE in quantities. Therefore, beside paying for MS Windows OS, MS Office and other utilities that I owned, I NEVER PAID for any Anti-virus company myself as I considered they are NOT WORTH for me to support because of these similar situations. If they listen to their customers then I may change my opinion later but NO SUPPORT for the moment because their AV Protection keep deleting most of my utils and I ALWAYS DISABLED their AV products. Keep up the good work Nirsoft!!!

  233. Tim Stradtman says:

    A simple “Me too” to this entire thread. False positives are a pain. I work with a variety of vastly different systems with differing password requirements. It’s not unusual for me to have to create a password with three nonconsecutive integers, two nonadjacent symbols, 4 uppercase letters separated by 7 lowercase letters that has not been used in the past 15 years (there might be a little bit of sarcasm in those requirements 🙂 ). Needless to say, I don’t always remember these passwords six months later. Tools like this are invaluable. I tend to use AVG products, and when I downloaded the mail password tool, AVG immediately flagged it. However, they were nice enough to list it as something like a “potential hacker tool” and allow me to add it to the exclusion list as part of the detection process. I also really like the post above that list the symptoms of a virus (taking all the CPU, changing files, etc). Fits most AV programs I’ve used perfectly, especially the “deletes files without asking” part.

  234. Bill says:

    How do we know you aren’t just saying it is the virus companies fault for giving false positives to hide the fact your software is really being used to create a nice botnet for you and others?

    I doubt this is the case, but the only real way to show you are innocent is to release the source code!

  235. bob says:

    Nir! your soft works, thanks a lot! (But antiviruses try to stop it!)

    This year I had a lot of pain in… with all those “smart” Co that sell (in reality impose) anti-virus programs.

    All those that I tried behave like a wild cowboy in a brothel: erasing (they call it quarantine) and removing “threats.”

    It relates to even “well-known” Co — like McAfee, whose technical assistants are probably the worst among IT/help depts. When McAfee completely blocked all ftp connections (and I daily use it to upload websites etc), I arranged a scandal for “assistats” — at last I was transferred to next (most educated, as they boasted to me!) level. And the guy tried for an hour to persuade me, that FTP does not exist at all and nobody needs it; anyhow, claimed he, McAfee never had any problems with FTP.

    To cure it (I simply did not know what to do) I reinstalled OS, changed comp, made a lot of useless fuss before found a cure (+ decided to uninstall McAfee).

    The most beautiful inventions of all those Co are “unwanted program” + “crowd wisdom”
    One such “specialist” explained to me: “If nobody uses this program, that means that it dangerous.”

    (This relates to NIRSoft soft as well: really, less than 1% of “users” DO smth on their comps, and less than that do smth with their comps. )

    What to do? In a dream we must have a leverage over Co that produce bad soft.

    But in reality it is — with billions of “users”! — impossible.

    They are playing this silly game, crying “Wolf! Wolf” — until people just stop believing them (they have a good example: condoms!)

  236. Mark Jeffrey says:

    I downloaded two programs from your site, Lsasecretsdump and Lsasecretsview. They both were flagged as having viruses from my antivirus program, Avira Free Antivirus. The viruses names are SPR/PSW.WinPassViewer.AL and SPR/PSW.LsasView.A

    I also scanned both of them with MalwareBytes, and it only flagged one of them, (Lsasecretsview.zip). The virus name from malwarebytes was named PUP.PwdDump.

    Im pretty sure your software is clean, and hope the AV companies will resolve these. Ive been using your software for quite sometime now, and I am very happy you wrote these programs.

    Thanks
    Mark

  237. PG says:

    The path of least resistance is probably to add the folder that contains utilities that you trust to the exclusion list in your antivirus solution. Depending on which program you use, it is sometimes easy and other times not. This is better than disabling your protection – who knows what bug might creep in while you’re working with the utility you require, leaving the rest of your system wide open to attack!

  238. Jan Vorel says:

    Following 7 lines of code, doing nothing, was just detected as malware by 9 different av software.
    (flat assembler source, blank.bin is a blank file)

    use32
    format PE GUI 4.0 on “blank.bin”
    include ‘include\win32a.inc’
    entry start
    section ‘.code’ code executable
    start:
    jmp start

    Agnitum Trojan.Agent!d57YhsyP8J0 20140114
    AntiVir TR/Offend.6569850 20140114
    CAT-QuickHeal (Suspicious) – DNAScan 20140114
    Commtouch W32/Zbot.I.gen!Eldorado 20140114
    F-Prot W32/Zbot.I.gen!Eldorado 20140114
    K7AntiVirus Riskware ( 5e15b8d00 ) 20140114
    TheHacker Trojan/Kryptik.w 20140115
    VBA32 Malware-Cryptor.General.3 20140114
    VIPRE Trojan.Win32.Generic!BT 20140114

    What will happen if I add an “Hello world” and ExitProcess?

  239. Nathan says:

    I have several tools, including your iepv, a visual traceroute/whois tool utility now discontinued called neotrace, and a tool that allows me to re-apply the laptop OEM windows key where recovery partitions are corrupt; and cannot be recovered and must be manually reinstalled. Useful where no network is available to activation or the laptop key is a ghost-only key. Various other misc tools do as well but i use them so rarely I cannot recall them all.

    All of these tools are detected by AVG, Avira, norton, MS essentials, Avast and Gdata as trojans or worse.

    Ironically some of these anti-virus tools immediately delete some of these without prompting – even when not configured for this behavior. I have had to download iepv dozens of times after finding it mysteriously removed from my repair toolkit usb stick.

    Even more ironically I have never known MS essentials to actually ever pick up anything but blaster worms, and that windows key utility – yet it updates almost daily. My impression is it is more a copyright enforcement spyware than an actual useful security tool.

    Even AVG, which is almost always installed and up to date on any PC i have been asked to repair with severe virus infestations – attacks these passive tools – and it is in my opinion the more useless free AV in the market.

    Why do these passive tools rate higher priority than say.. a trojan installed with mypcbackup by the brethran cult to spy and censor their members, or used by the Iran secret service for spying on foreigners; or a ransomware app that locks you out of your pc if you dont reveal your credit card details to them? None of the above antivirus tools even stop or detect in most cases these – but they will fall all over them self to delete a password recovery tool without even prompting.

    So frustrating, where there is enough real threats out there without making up new ones.

  240. Jotidd says:

    eset nod 32 is a complete pain. I obfuscate my autoit scripts which helps but eset marks just about anything as a virus and everything without a tray icon. Just what is their justification. Sending fops to them is a waye of time and effort. I have never had a reply yet.

  241. MarkJeffrey says:

    Just downloaded smsniff 2.07, and scanned it with Avira. It was flagged as a Virus, the name is SPR/SniffPass.B

    Im pretty sure again, its not a virus, but I thought I would send the info anyways. I have an older version of smsniff, v1.92 and Avira doesnt detect anything with that. Just thought i would let you know. Keep up the great work!!

    Would be nice is AV companies would fix their software, so as to not give false positives.

  242. lexx says:

    auto key or mouse movers scripts will always get flagged as low risk threat as they can be used in bad ways, just most seem to not make an category for to state what the risk is (like keygens)

  243. thanks says:

    My Chrome also report it as virus infected file. after reading this blog, I decided to have a try. I checked the download folder, it is just renamed by Chrome. so I rename it to pstpassword.zip, and “Scan for threats” ok. so I unzip it ok and successfully open the pst file! thanks Nirsoft!

  244. Darin Walker says:

    I have almost all but given up on most anti-virus venders because I am sick and tired of their lack of sincerity toward their clients. Not only are developers being hurt in this, but the clients/users of special tools (your stuff) for their specific productivity needs are being harmed, a sense of true protection from REAL viruses is blurred and uncertain, a waste of ALL of OUR valuable time (as if a client’s time doesn’t matter/a lowering of respect toward users), and a diminishing trust in the Internet and Mass Communications altogether as a result. Anti-virus venders have learned that fear motivates sales, and they want sales at all costs. They are probably seeing diminishing returns because now that anti-virus software has become so good at protecting all of us, fewer infections are the result, therefore there is less motivation for new anti-virus solutions. Ah.., but wait! False positives are a good one, because.., you never know?…? Right?… That’s right! False positive will keep everyone guessing, and so anti-virus sales will go up. Every time a new anti-virus developer comes into the scene, all the profits are sliced in half again, so their thinking “we need to keep false positives up to keep sales up.” Sad situation. Alas, most anti-virus venders have no integrity, nor do they have faith in their marketing/sales vehicle.

  245. Darin Walker says:

    “Bill Says: How do we know you aren’t just saying it is the virus companies fault for giving false positives to hide the fact your software is really being used to create a nice botnet for you and others? I doubt this is the case, but the only real way to show you are innocent is to release the source code!”

    Bill.., how do we know you are not employed by one of these anti-virus companies and coming here to employ a covert intelligence attack on the credibility of nirsoft? The only way real way to show you are telling the truth is to provide us your full name, address, and contact information so we can check you out for our own edification.

  246. John Thomas says:

    Actually for anti-virus programs releasing the source code is not enough, because even the program was directly compiled from source code it can get picked up. Norton at least seems to base this on how fast file names are changing or something? Seems rather unrelated to open-ness of code.

  247. Mike Towle says:

    I develop and support Adminsoft Accounts. Which is a free accounting solution for small businesses. Anti-virus software is a nightmare! I get LOADS of emails from people who can not install or can not run my software due to some over enthusiastic anti-virus (or firewall) package getting in the way. I frequently receive emails from concern users who’ve been told by their anti-virus software that Adminsoft Accounts contains a virus or Trojan or whatever. When of course it most certainly does not. I even have the the download file digitally signed, but I’m not sure it’s making any difference.

    I don’t know what the answer is. But if your anti-virus package keeps giving false positives, dump it.

  248. Impurist says:

    The reason is always simple. Your software is great, but don’t get me wrong, I hate proprietary software.
    I always choose open-source software when I have a choice.

    So, please upload your code to github or else, so I can read to see what EXACTLY your software do to OUR computer.

    For example, your tool “ActivityView” is really scared. Your software shows Windows history scandal, but
    I’m also want to know that your software IS NOT REALLY a virus.

    Please consider. It’s 2014, proprietary is a madness.
    Open source is always win, man.

  249. screwCNETcom says:

    Virustotal.com is THE MAIN SOURCE of false positives. They are the ones that need to host the centralized whitelist. I am getting ready to create some kind of viral video about how false positives and scrappy antivirus companies together with the VirusTotal autoforwarding system is screwing over software developers everywhere.

    All 50 antivirus company blindly add false positives to their definitions to thrive.

    This article explains it best

    http://www.pandasecurity.com/mediacenter/malware/automated-false-positives/

    Contact me to get together to spread the word about VirusTotal.com they are NOT willing to give users an option to stop forwarding false positives to the 50 av companies that blindly add them. They are NOT open to creating a whitelist service even with a monthly fee which I would gladly pay.

    Code signing is NOT the answer to prevent false positives. They cost money, expire and in many cases with the new trend of open sour e and free software, code signing just isn’t an option.

    Virus scanners get rich off of flagging your CODE as a virus and they don’t even have to work to get lists of false detections

  250. screwCNETcom says:

    To contact me email onlywanttohelpeveryone@outlook.com

    Let’s figure a way to stop this antivirus madness. I have signed up for the NortonWHITELIST and that did not prevent the false positive a year later.

  251. Sydney says:

    Same with my .net application .. it just refers from some dll on C:// but they treat it as threat.. shud I quit being freelance programmer zzz

  252. Brendan says:

    McAfee is the worst (or right at the top of the poo pile) in my professional experience. Trashes license files at the drop of a hat, so frequently have to resort to using my personal laptop running Eset NOD32. Never an issue (or infection) in almost eight years using it.

    Too many stories and issues with McAfee, and life’s too short to go into detail.

  253. Mark Strelecki says:

    MSE is again flagging the latest nirsoft_package as a virus and I CANNOT GET IT TO ALLOW THE DOWNLOAD! I even turn OFF real-time monitor, and it STILL gets trapped. Using Firefox 31.

    MARK STRELECKI
    Frustrated to No End in Atlanta

  254. Kathy says:

    I’m moving from one computer to another, and have numerous emails for multiple sites and organizations. Gathering up all the information to put into the new computer’s Outlook loomed heavily .. until I found mailpv, which listed out everything I needed in a second.

    ..After, of course, I told Norton to restore the exe from quarantine, and, yes, to put back the “threat” it had removed.

  255. Joe F says:

    After telling Chrome to go away and leave me alone ….
    WOW! I now have to turn ZoneAlarm off to run IEPV
    and there’s no longer an override for ZA.

  256. mememe says:

    Kaspersky luckily says “this is a legit software that can be used by hackers”
    i think that this is the best message that an antivirus can show

  257. Stian says:

    The Nirsoft Launcher package is blocked by the latest Firefox. The internal malware scanning reports URLs to Google and if Google doesn’t whitelist, it just blocks the download. A big problem for small developers like Nirsoft.

    To disable in Firefox 32+ go to about:config and change the value of browser.safebrowsing.malware.enabled to ‘false’.

    I expect this to be more of a problem as more people update to FF32.
    FFS Firefox…

  258. Bill says:

    I had a major problem with Google chrome not downloading the nirsoft_package_1.19.1.zip package, I had to use Internet Explorer on an AWS server then copy it back over RDP.

    I do not run antivirus software and never have and I do not get viruses at all, since the start of the Internet (The internet is not that old). This is because I know what I am downloading and I have a good idea on what can be a virus so I simply use my own intelligence to avoid being infected.

  259. Lance says:

    I am a developer of freeware and I am constantly dealing with anti-virus false positives. It drives away people who might enjoy my applications because they are either afraid or because the anti-virus automatically removes my apps.

  260. Amodio Pesce says:

    Urrah for Avast.
    We sell a professional software protected by EleckEy Sciensoft Protection.
    And today Avast decided that eck6420.dll, the core dll for the protection system, is a virus. Then he decided to quarantine it without any message.
    And so many of our client that use Avast are all calling today saying “Your’s software is not working, say that a dll is missing or something.”. We’re going to lose 2/3 days of work only to connect with every costumer and add an exception to avast for our license system.
    This is madness. This is costing us a lot.

  261. Astuces says:

    I’m moving from one computer to another, and have numerous emails for multiple sites and organizations. Gathering up all the information to put into the new computer’s Outlook loomed heavily .. until I found mailpv, which listed out everything I needed in a second.

    .

  262. Smith says:

    this is really pissing me off. I have to disable the antivirus prog to regain the lost e-mail password of a friend. Had this with f-secure and trendmicro.

  263. Head Gone says:

    Avast blocking my website with false mal reporting…Class action lawsuit sounds great! how to start??

  264. Dick Smith says:

    I found that I can easily make the program uniquely mine so anti-malware doesn’t find or delete it by zeroing out the words “This program cannot be run in DOS mode” in the exe file with a hex editor. Of course if everybody did that the ant-malware programs would be eventually trained to find it.

  265. Lian says:

    True, they are a big headache for small developers. We can’t blame them alone as there are numerous viruses created every day. I totally understand the issue with the small developers especially when one antivirus program approves it and another detect their program as malware.

  266. Laura Haglund says:

    It’s so true, the big companies are more concerned with selling their product than with perfecting it. That is why I always advise people to avoid anything that is advertised! No matter what people may say about the “dangers” of freeware, it is a simple fact that the best software is created by those who do it for the love of doing it.

    I call myself the “Queen of Free” because of my long experience with finding, testing, and using the best free software. I have also spent more money on donations to independent programmers than on commercial software (most of which is disappointing, at best). I’m a queen, not a freeloader 😉

    I use a collection of free troubleshooting, repair, and data recovery software, on a USB stick, to fix computer problems that commercial software has not prevented (and may have caused lol). My stick is always jumped on by AV, and I spend the first five minutes fighting it off. Sad.

  267. Björn Törnroth says:

    Thank you for this article and thank you for your tools. I routinely install the free versions of Panda Cloud and Avast! on my clients’ machines. Avast! goes haywire over your excellent tools, but Panda is calmer, and it’s easy to add your tool dir to the exceptions.

  268. Asad says:

    i actually am a long time user of NIRsofts
    and every time i install a new operating system (Which is quite a lot)
    i get False positive once every five mints
    i know Nirsoft and just laugh it off
    Keep it up the great work

  269. Wizengamot says:

    I too have run into this problem. I will be downloading your tools at home and running them against NOD32 Antivirus. I have found this tool to be very good about false positives in that they are very very few and very far between. I guess I will see.

  270. Guitar says:

    Some developers increase false positive detection of their software by sloppy coding, unnecessary heavy packing, sloppy attention to their dll files, and improperly registering their software with the Windows operating system. There is little need for all this. We try to make allowances for this in our AV, but when several of these are present, we will detect it as malware! Perhaps some developers need to use good coding practices, provide good documentation, and treat all components of their software as important!

    Regards,

  271. Chris says:

    Thank you Nir for your very prompt reply regarding my inability to install Mail-Pass-View and the detailed information you attached. I understand False Positives now and can see it is a real headache for you. Is ‘not a valid Win32 application’ the same FP issue or something else?

  272. Shannon says:

    Great page, Nir – my husband and I share your headache, as we try to run our small software business.

    Note to Guitar (November 8th): my husband creates our programs; he received a BS in Computer Science, is a professional programmer, uses the latest Microsoft Visual Studio, codes to perfection (seriously, he’s a perfectionist) and we are still regularly flagged then quarantined by ‘spoof’ warnings which – when research – are simply defined as the software hasn’t been downloaded enough times (100+) and therefore is a threat. So it’s not just the cruddy or illegitimate programmers who are suffering. In fact, it’s poor programming on the part of the antivirus system companies who don’t take the time to figure out how to identify actual threats.

  273. Jean Lalonde says:

    Hi,

    I’m facing the same issue with my freeware Folders Popup. Good to know that we are not alone 😉

    Here are a few links I recently used that could help developers looking for reclassification.

    Trend Micro:
    http://esupport.trendmicro.com/en-us/home/pages/technical-support/premium-security/1096819.aspx

    Symantec:
    https://submit.symantec.com/whitelist/

  274. SysAdmin says:

    Here we are over 5 years since this article was published and we still get warnings about “NirSoft” applications. I guess that your concerns have gone unaddresssed.

    I too am a long-time developer as well as an IT proffessional in an international company. I do understand why they mistakenly flag applications with behaviours such as some of yours, but also realize that these are false positives.

    Too bad some nice big law firm doesn’t step up and act on your behalf in this regard, you certainly have a solid case against them and could easily retire on the discredit that they have done to your company/brand. The fees for this suit would easily be covered by the suit’s settlements and it would set a good precident against lazy virus scanner companies; after all it is up to them to figure out what is legitimate and not, and appropriately adjust the warning messages (if still applicable) for the end users. In the case of ESET (enterprise virus scanner), they took the time to name the virus after your company brand but stopped short of suggesting that it might be a false positive.

    Good luck.

  275. Anonymous says:

    Serious Question , Are there Companies you can hire to manage white-listing and false positive detection? I am a software developer and I’m trying to find the most effective way to go about protecting my product from Anti Virus. Thanks

  276. Georg says:

    Hi! Nirsoft is probably the best freeware provider on the intire net. Never addware or comercials. Never gave me troubles. But unzipping NirLauncher causes Microsoft Security Essentials to sandbox “SoftwareBundler:Win32/GoFileExpress” as high alert thread. It doesn’t prevent me from running the program. But what software dit it actually remove… and where is the MSE sandbox folder located? I want to take a closer look at it.

  277. Nick Wilkinson says:

    I would like to know if any AV companies have been taken to court for failing to fix false positives within a reasonable time frame. If not, this type of action should seriously be considered. One person may be unable to afford to do this, but a collective could potentially succeed. I would like to see a fast track submission to all major AV companies for registered developers, which requires a responce within a given time frame enforced by law. I think that’s a reasonable enough request.

    Here’s one story that may interest you: http://english.caixin.com/2014-10-17/100739976.html

  278. Steve says:

    Why am I here if I know these are false positives? Because it’s 2015 and stupid AVG is still flagging your files as “Potentially unwanted application hacktool”. I just got a flagged today copying off a HDD, if’s it “Potentially unwanted” AVG then give me the option at point of flag to ignore your fing warning instead only giving me the option to delete or quarantine.

    I’m close to scrapping AVG and moving to Comodo. Especially as AVG is spamming the advertising more and more in the free version.

  279. ckuhn203 says:

    Symatec is flagging us for no other reason than we don’t have many downloads. Which is in turn, scaring people from downloading the installer to our FOSS project. smh… Y’all are not alone.

  280. gmon says:

    Avira is still blocking most Nirsoft utilities. I have repeatedly sent them the quarantined files as false positives and they continue to flag them as “risk”. I have to exclude the entire Nirsoft folder from scanning, which is a risk in itself.

  281. James says:

    I have just written a program, put it on my site for download and chrome declares it malicious – this is really bad for my business plan, what can I do?

  282. Security Researcher says:

    Have you considered signing your binaries with a class-3 digital certificate from a major / trusted CA (Verisign, Thawte, etc)? This should signal to many / most AV products that your software is legitimate. It may not prevent all FPs from all AV vendors, but it should certainly cut down on the frequency and number of FPs.

  283. Andres says:

    Now Firefox is accusing my software of being malware and blocking it. I think both Chrome and Firefox are using a service provided by STOPBADWARE.ORG, which populates its database in a totally obscure way, and there’s not way to contact them to report false positive files. This is just GREAT.

    They are harming not only software reputation, but also legit developers work of YEARS and countless hours of programming, by blocking totally harmless and clean software. This is too much.

  284. Hans says:

    This whole false positive bullshit is the reason why i don’t use any antivirus software.

    If you know what you’re doing you won’t get any viruses.

    Use Brain.exe! It is the best protection.

  285. Elliander Eldridge says:

    I remember this one time when an antivirus deleted not only a program I just finished compiling, but the source code as well! It cost me hours of work and when I complained they said they don’t delete files without prompting. Ha. That was the last time I kept an active antivirus on one of my machines. Occasionally when I may think I actually need one I’ll just restore from backup which is faster anyway.

    Still, with browsers running scans, it’s a headache for me again. One really simple program I wrote just tonight in Java has a mere 285 lines of code, is unable to read from or write to any file, and is only capable of accepting numeric input from the user to then run some complex equations. It’s got a few nested loops and calculates different scenarios for the best investment approach. That’s it. It’s just an early version, and yet somehow I can’t email it to anyway or send a file transfer through anything. Facebook even says outright that it DEFINITELY contains a virus and those systems have no way of reporting false positives. Of course, it was programmed on an instanced machine that can’t possibly be infected with anything. So now it’s very difficult for me to share projects with others for beta testing to begin with.

  286. VirusTotalNeeds CentralizedWhitelist says:

    If we all can understand the problem is VirusTotal.com

    They have stated that they have NO INTENTION of creating a Centralized Whitelist service. I myself would pay monthly for such a feature. They are probably making a fortune from all of these antivirus companies that keep popping up. The number of antivirus companies has doubled in recent years.

    If there is one false positive, all of the antivirus companies automatically get the file forwarded to them. For maximum profit, most antivirus companies blindly add the file without checking if it is a false positive. There are plenty of articles to outline this in great detail.

    VIRUSTOTAL.com: YOU NEED TO CHANGE YOUR MIND AND MAKE A CENTRALIZED WHITELIST SERVICE!

  287. Charlie says:

    well, I did try to use your program last week and ended up with a computer so full of viruses and malware that I had to bring it to a repair man to get all the bad stuff off of it. It was so b ad, I couldn’t even connect to internet anymore. Lan, wireless lan, PPoE every possible way to connect to internet was blocked. So maybe your program is safe, but others have found a way to hitch hike virusses and malware with it, when downloading.

  288. Izasi says:

    I am truly amazed that a subject made public by yourself is still not addressed by the antivirus vendors (since 2009 – as above).

    However, I would like to mention that not only has your software been detected as a virus by BitDefender today, but a listing of text data for importing into a spreadsheet (only 41 or so column and 6348 rows) has also been flagged as a “threat” … go figure !!

    There are lots of companies that have addressed this it seems, while others are still sadly lacking.

    See this link:
    https://www.virustotal.com/en/file/a55eadb15cd0c92b2fae325c2c5dbc2f5b8a05a6ff7853129ef5762c405a1ddb/analysis/
    It is time to change my antivirus software provider … I do vote with my wallet.

  289. Larry Hunt says:

    I purchased a code signing certificate and incorporated it into my website download software (Installshield). My customers still get warnings from various antivirus software products. One even blocked my website. Then after installing my software, which consists of many executables plus support files, every so often an antivirus product will quarantine or delete one of the executables. I ran Norton’s Power Eraser on my computer and it recommended removing about five of my programs along with others. I then used Signtool to apply my code signing certificate along with the timestamp option to these five programs and ran Norton Power Eraser again and this time it flagged only one of the five. Even though its Properties said that it had a valid Digital Signature with a Timestamp. And when you click on why it was flagged you just get a message that it wasn’t recognized by the Norton community.

    Isn’t it time for a class action lawsuit against these antivirus vendors?

  290. Surveyor (Allen T.) says:

    Today, I continued updating my ‘collection’ of Nirsoft utilities – fantastic tools! But, quite by accident, I discovered that some of the downloads I had done today and yesterday were unknowingly “blocked” by Firefox (v39 – I know, I’m behind a couple of versions!). I have been using Firefox for quite some time and like it a WHOLE lot better than IE, but this “blocking” is absurd – no warning, no message, just no download. Searching for this issue turned up an explanation (https://support.mozilla.org/en-US/questions/1049744 – tied to Google’s Safe Browsing project, apparently) and a ‘workaround’ (http://www.ghacks.net/2014/07/25/firefox-cut-tie-remove-things-google-browser/ – see 2. Safe Browsing). The ‘workaround’ (Options/General: uncheck both “Block reported attack sites” and “Block reported web forgeries”) allows you to temporarily disable the checks (through Google) and download anything you want!

    My suggestion is to use the workaround (in Options), then apply “Pin Tab” to the options tab (on tab’s context menu) as a reminder for later or future sessions. If you see the ‘pinned’ Options tab, then safe browsing is TURNED OFF – you should keep it on, I guess, as protection, then ‘unpin’ the tab and close it.

    Although I appreciate the Mozilla people trying to beat the scammers and virus-creators (THOSE bastards!), a little popup would have been nice – “Firefox has blocked your download; so sad, too bad!” – and would have saved me a lot of grief and Internet searching.

  291. Surveyor (Allen T.) says:

    Oops! The options (in Firefox) to uncheck are in Options/Security (General area), NOT as stated above!

  292. StephenWika says:

    I wonder how we would fare if our digital signatures were from Verisign ??
    Let’s see,,, who owns Verisign??

  293. Ian Macdonald says:

    While back, our website was taken offline after Google reported it to the hosting company as containing malware. Naturally it was a false positive. I found out that the T&C of Adwords allows Google to do this site scanning. So, I took off all our Adwords code and cancelled the Google account.

    While later similar thing happened again, in which an executable I’d posted on our website for the use of a client was reported as malware by some cowboy outfit which was going round hosting companies offering to ‘Completely eliminate the scourge of malware from the Web’ or some such BS.

    I decided that the only way to prevent a repeat was to remove our public downloads and password the access to any executables which had to be distributed via the site.

    Other day, found that HerdProtect was still flagging one of our Sourceforge projects as malware, in spite of the false positive having occurred eight months ago and having since been removed by all of the major AV vendors. False detections or no, that takes the biscuit to be still displaying one eight months later. Even had our company name on it, taken from the file sig.

    I’m wondering if a petition to our respective politicians would be productive, perhaps in getting some kind of accreditation requirement for AV vendors. Those that create too many falsers get stripped of it, after which the certificate issuers get notified to revoke their certs by a government agency.

    That would mean their products being flagged by the OS as ‘The publisher cannot be verified -Are you SURE you want to install this?’ -which would be a strong incentive to stop these false alerts, would it not?

  294. LuJoSoft says:

    My real problem is with VirusTotal, don’t get me wrong it’s a needed tool for everyone, but they have one flaw.

    They scan files now with 54 scanners but before using an av scanner from a company they should ask a valid link or Email to report false positive and the possibility to the user to get the scanner removed from the page if the av company doesn’t reply to the demand.

    For the last year I’m trying to get one of my product white listed and it’s impossible because there is 4 company that I can’t get reply from, so I’m doomed.

    More info and blog coming about my dealing with them http://lujosoft.net/Forum1/viewtopic.php?f=72&t=731&start=10

  295. jacques says:

    most antivirus companies are full of BS lately, I have used small http server many years, but to download it now i cant even use any updated browser, they all flag it as a dangerous virus and even the website http://smallsrv.com, is flagged as an virus, i understand that some people use the software with evil intend, but FFS, if that is the case, why don’t we just start banning gun, knives, forks, tools, ropes, they can all be used for evil, dammit lets ban computers and electronics, because terrorist can use them

  296. Ari says:

    As I trust your utilities today after reading an article in Gizmo freeware about Wireless Key viewer I downloaded but the Norton warned me and I got scared and did not retrieve the deleted files. Later again on your web I read “the Antivirus companies cause a big headache to small developers” which made me to re-download and again Norton deleted it but this time I retrieved the deleted file and can use it without problem.

  297. Karlo says:

    Avast is blocking my games made with GameMaker: Studio because the game uses reading from / writing to .txt or .ini files!

  298. O says:

    Windows Defender and Microsoft Security Essentials are flagging my Freeware app, which “can” be used by bad guys, as malicious.
    Windows Defender is preinstalled and activated on newer versions of Windows. Many users, who are trying to download my software, are receiving virus alerts and download-blocked messages.

    I contacted Microsoft many times

    via

    Email: avsubmit@submit.microsoft.com

    and

    https://www.microsoft.com/security/portal/mmpc/developer/resources.aspx

    https://www.microsoft.com/en-us/security/portal/submission/submit.aspx >>> (This form never worked once)

    but haven’t received any response from them.

  299. O says:

    I suspect, that many FP’s are deliberately generated false positives and AV companies are using some kind of secret blacklist against “trouble causing” legit software.

  300. Steve says:

    We feel your pain, we went to great expense and jumped through a lot of hoops to get a code signing certificate for our application. We went through a lot of background checks, we even had to get a letter of attestation from an attorney. and still get flagged. Occasionally we go through a period without errors but we are back at square one when we push an update.

    I understand the need for caution by the browser and AV companies but I really think that if you have a valid code signing certificate they should leave our applications alone. If the background checks need to be more stringent then make them more stringent but there needs to be a fair way in the marketplace for smaller companies to innovate.

  301. Tasos says:

    If I may add my own case, I had a big problem with Avast antivirus.
    I write some programs in Assembly language, ranging from small utilities to full applications. During development I use batch files to assemble, link and test-run the programs. The assembly-link time is between 2 to 5 seconds. When I used Avast, running a program I got a popup saying that the program is scanned and run in a sandbox, taking some 20 to 30 seconds to complete. As you understand, waiting this to complete, many times I was forgetting what I was looking for. So, my solution was to stop using Avast and avoid suggesting it to others. After all, I don’t like been characterized a potential malware writer.

  302. Ricardo says:

    This situation is crazy…..

    The Antivirus companies are destroying people’s livelihood… But, they could care less….

    To me, it is like standing outside a restaurant and telling everyone who enters, “You may get sick from eating the food here.” The owners would probably attempt to have you physically removed. After a few days, they’d probably file a lawsuit against you.

    The thing is… This is beyond my control…. I cannot change it…. It is what it is…

    The only thing that makes sense is to create web applications where this is not a constant battle.

  303. rana says:

    all av s are not to be blamed but most of wildly used like avast are totally stupid in compare real virus or harmless software

  304. Stanley says:

    I am just beyond frustrated with antivirus companies continuing to mark my program as malicious without properly scanning it through. I am a small developer and my revenue is on the line with the increase in false positive detections from companies like Symatec and AVG.

    I have contacted many different AV vendors in the past and submitting my programs multiple times with no results. The issue may disappear for a short while, but will end up coming back in the end. Now even Window’s smartscreen filter is marking my app as malicious. I’ve never had a problem with any of the companies until recently when they started flagging my software. It has gotten so bad to the point where Chrome blocked all downloads of my program and my website completely and lost total trust in my users. After a month of repeatedly contacting Google for an appeal, the block on my website was finally lifted, but the damage was done. Even people have started spreading the false notion that my software is actually used to exploit systems.

    I’ve just about had it with the AVs and the whole extra protection BS that these companies offer. At this point, it is either work on popular software or don’t program at all. Programming is my passion and I didn’t work on my project for 4 and a half years ALONE just to be labeled as a malware vendor. I’ve had enough of this. Sorry for the rant, but this is really affecting my life.

  305. Dr Santhosh says:

    I am an independent Andriid App developer with a number of free apps on Android, you would not believe my surprise when one of my free apps was Tagged by Avast AV as “suspicious”. I wrote to them offering my source code for analysis provided they maintained confidentiality.
    I am yet to hear from them, these conceited corporations just want to wipe out individual developers, as they cannot stand someone offering a free or open source app when they are being paid hefty money for same, that is the crux of the issue here……

  306. Joep van Steen says:

    Oh yes, it’s sooooo frustrating. I’m so mad! Just now DiskTuna got flagged by one in VirusTotal. After I just spent a day getting Google to understand I don’t spread malware. Google: but it’s a file that is uncommon. Yeah duh, I just finished it.

    https://www.hybrid-analysis.com also nice. All my software is malware according to them. Because they found a URL embedded. Because the software tried to get the OS version. Because the software evaluates if there’s admin rights or not. All perfectly legitimate for a disk defragger. I need admin rights. I need to know the OS.

    I’m so SICK of it. If I had the money I’d sue them till they’re broke.

  307. Matt says:

    This is so annoying – I’m trying to use the IE Password util to export and import user passwords when upgrading their computer(a lot of them don’t recall their passwords for stuff) but I can’t even download it because of my work’s antivirus 🙁

  308. Kevin says:

    Article is still true today as when it was written. Super frustrating. I just wrote a tool to repair database corruption remotely and Norton tries to remove it every time I run it.

    Good to know that I am not alone.

  309. Muhammad Saqib says:

    We all developers should unite and teach antivirus companies a lesson. We should build a platform where all developers can communicate each other and can take legal or illegal action (such as harm their sell too) against these companies. You can see, 7 year has passed and developers still facing troubles for their clean software. We struggle months day and night we don’t take holidays while developing our software and they took a minute to mark our struggle as Trojan. Who give them right to judge the developers of entire world.

  310. Tom says:

    My software continuously gets stopped by avast and mcafee. A real pain.

  311. Ralph says:

    I too suffer from constant FALSE POSITIVES around the Nirsoft products. It is unacceptable that these AV companies, Microsoft SCCM being the problem for me, will not fix these problems. Someone needs to contact the US attorney general and demand that they sue them for defamation of character and publishing false information about their products. Should be an easy win. There is a ton of evidence, 7 years worth in these comments alone to provide prof positive that they are nefariously defaming your reputation and that of NirSoft for continuing to falsely accuse developers like NirSoft of putting out evil viruses when in fact they do not. Anyone out there know any good lawyers, maybe a class action suit on the AV companies, starting with Microsoft, A US company. Any suit on them will get noticed and will get air/print time in the media. It should also earn a lot of money for the Lawyer with the guts and courage to go after them.

  312. Harry Powell says:

    I have receive reports that the install executive of EditCNC is flagged and deleted by Gateway antivirus. This is done even though the file has a Symantec digital certificate!
    I think (hope) Gateway is the only one that does this.
    Is there a way to contact Gateway and have a file white listed?

    Harry

  313. mark says:

    This has become a major productivity problem with large companies. It is almost impossible to “whitelist” custom software that is legit purchased from major software vendors. Dont know what you do. lots of bad guys out there.

  314. Tony says:

    Our estimating software, Seljax, is sometimes detected as a virus and/or it’s communication is blocked. This creates a lot more work for our support team. Avast seems to be the worst.

  315. Josh says:

    We deal with this all the time (and are dealing with it now with the idiots from Lookout). The only solution for the AV companies that refuse to act is to get an attorney involved. I had our attorney send a letter directly to lead counsel for avast and we were quite literally whitelisted in hours. The thing is, when you contact these companies, you get directed to tech support, who really have no clue about the legalities and repercussions of their actions. These company’s attorneys fully understand you can sue the living crap out of them.

    However I do agree with another commenter here, that we should create a fund/group to seriously go after a few of these companies in court, perhaps via a class action suit. Setup a GofundMe page. There’s likely enough cases of defamation & libel to sink companies like Avast & Lookout.

  316. Andon M. Coleman says:

    What’s downright despicable about anti-virus software is when it quarantines something that you just compiled. The output of cl.exe should be exempt from this stuff.

    It’d be nice if the anti-virus package warned you that it’s going to report to all its users that the software you just compiled will trigger a false positive, but it’s awful when you go to debug your program and it’s gone.

    As a developer, you really cannot use anti-virus software, it will make your life a living hell. I have done simple memory optimizations in the past that triggered bells in 10 anti-virus software packages. Needless to say, to keep my end-users happy I have to avoid said memory optimizations and release an inferior product. This is ludicrous and I wish anti-virus would go away.

  317. Sylvester Norrbjoerk says:

    I work for an IT-support company with hundreds of clients. Nirsoft tools have helped us out countless times for which we are immensely grateful. Luckily it’s always my colleagues and I that use the tools so we know to disable the auto-delete/auto-quarantine functions and/or disable the anti-virus and/or add exceptions to it, but it is annoying, especially when you are in a hurry and still have to perform a task on dozens of computers.

    I’m still trying to find an anti-virus that protects without false positives and that is lightweight; I am probably asking for too much. I also get it that the anti-virus companies also have a hard time figuring out what is a threat with numerous new threats appearing each day, but marking tools used by thousands of professionals regularly for years, as a virus is just plain wrong.

  318. Digitalconnectmag says:

    I am yet to hear from them, these conceited corporations just want to wipe out individual developers, as they cannot stand someone offering a free or open source app when they are being paid hefty money for same, that is the crux of the issue here……

  319. DubbaThony says:

    I have that annoying problem aswell. annoyingly I use ton of software that is “riskware” in AV-language, when in real language its “legit software”

    oh, I made quite a few programs too. my first issue was the AV removing .exe file. just after compilation. I have an question. What the legit fudge is that supposed to mean?! You not only will false-positive all of my exec’s even if compiled on same damn machine, decerase my reputation, but you will also try to prevent me from coding at all?
    are those jerks insane?
    I dont mind some security. But I mind, oh I really mind false-positive sea while looking for that droplet in the sea of actual danger.

    afterall I ended up using Spy bot +AV as it dont throw false-positives at my face on constant basis.

  320. Fred says:

    I’m a developer myself and I get so sick of these false positive alerts. It doesn’t seem fair, write a code and put it in the proper directory so it’s automated and five seconds later it’s gone. So what to do? Delete your antivirus and wind up with no protection? Doesn’t seem like a good idea, but you don’t exactly get very many options either. You could go to a smaller one like what DubbaThony did, but then are you really as well protected? Probably not. Antiviral companies such as Avira need to begin making their products more convenient or people/developers are going to start looking elsewhere. And who knows, maybe we’ll wind up with even better freeware based antivirus programs.

  321. Gail Tichy says:

    I am so angry about this issue. I just bought a new desktop that came with pre-installed “Mcafee” anti-virus software. I use myPCBackup to backup my files. I installed the backup application on the new computer, but it failed to execute because Mcafee flagged it as having “Artemis!” virus in the code. My only alternative to get my backups is to turn off Mcafee while I am downloading the backups and then run a full scan afterwards. I wish there was a governing body with oversight on these companies.

  322. Mark says:

    Still unable to download Nirsoft tools with the latest Firefox (49.0.2), and had to download with Chrome instead which worked. MD5 hash checked out OK.
    Have had to put ignore exceptions into my anti-virus programs (Kaspersky paid for and AVG free).
    Kaspersky continues to bitch about it, but I haven’t tried AVG again for a year. I just let the exceptions handle it.

  323. DigitalEdge says:

    You can also make a utility that checks programs’ checksum and verifies it to a database. If it will become professional enough to not allow malware writers to pass the test it would become a priority for AVs to make sure they don’t FP your database entries.

  324. Rob says:

    I’m a developer who also suffers from false positives. The worst offenders are Norton, Avira and Avast.

    The way I fight back is by sending an email to my customer urging them to get rid of the A/V program. I include this link which shows how useless they are anyway (this was sent to me in a Microsoft Azure newsletter):
    https://youtu.be/PvfrS6_nyyM?t=77

    I explain how these A/V programs are a waste of money and all you need is the free Microsoft security already included in Windows.

    It’s working. I have pursuaded over 20 customers now to toss their A/V programs, mostly Norton.

  325. Stéphan says:

    Ahh I have this problem too with my last version of Reqchecker. If have false positive “HEUR/APC (Cloud)” with Avast and Antivir, and I imagine more. I will try to buy a certificate and sign my exe, but it does not ensure that the problem will be solved. 🙁 🙁

  326. OptometristPrime says:

    This is a huge problem with pretty much all anti-virus & anti-malware companies & they should be ashamed of themselves. Almost as much as they should be ashamed of the fact they lie to users about what should only be considered P.U.P, calling them trojans, or malware & filing them under trojan names for real trojans. This is unacceptable & the main reason I wont use any anti-virus other than ESET. I have never had ESET lie to me about what a file actually is. It clearly states exactly what the file is & that it is potentially PUP, and then I can make my own decision based on that because it tells me the exact name of what I’m trying to use. For instance, a password tool would come up as PUP & would be called “Password Tool” or something, in their descriptive names.
    For this reason, I love ESET & for once in my life, actually trust my anti-virus isn’t full of shit or lying to me because of pressure/incentives from anti-piracy groups or their own greed/laziness/lack of caring.

    It’s a real shame this happens to small developers especially, because it really hurts you guys the most. It also hurts users though, because then you can no longer rely on your anti-virus, so what’s the point, if you constantly ignore the alerts then? These practices should really be regulated somehow & someone needs to put pressure on the companies to stop LYING.

  327. Keith says:

    I agree with this issue completely. I have been offering a program for the last 10+ years and each year it gets more difficult for users to load due to virus program saying it is a possible virus. I once tried to get a company to put it on the safe list but it was basically a good luck buddy response. Like trying to get an audience with the pope or trying to get an answer from the federal government. I am 100% convinced people are not downloading the program due to these messages and rightfully so. However it is costing myself some sales as well as them a quality and affordable tool.

  328. Mike says:

    Ditto to what Keith just said!

  329. Bob says:

    I’m having a massive headache with this issue right now.

    I’ve spent a couple years developing a popular game mod, and I’m forced to encrypt my application because of rippoff coders had previously stole some of my work. My application has zero malicious code.

    Scanning the unencrypted application on virustotal I get 1 false positive.
    Scanning the encrypted application on virustotal gives me 20 false positives.

    This is example of how many AV’s are just tagging patterns produced by the encryption software. one group of
    about 5 vendors seem to be using the same signature pattern, because they use the same label to identify the false positive.

    Some AV’s will not remove false positives and pretty much ignore requests to do so. I never realized the Anti Virus industry had so many snobs.

  330. Skipjack says:

    Nir, you must be doing something right, because I just installed PassView and it got by Kaspersky. The Kaspersky screen that came up says “Password Management Software Detected”. Then it says it’s not a virus and gives the file path. It gives three choices, DELETE, SKIP and ADD TO EXCLUSIONS. I clicked exclusion and the installer came right up. I haven’t run it yet, because I can’t reboot right now, but I can’t imagine it wouldn’t work fine. Maybe Kaspersky is in a snit ’cause I’m not using their password manager? Anyway, thanks a LOT for all you do. All the best

  331. Ken Schafer says:

    I think it’s about time for a class action lawsuit and I’m ready to sign on.

    Our software won an Emmy(r); we’ve been digitally signing it for literally the past ten years, virusTotal reports it 100% clean but our most recent release has been just hammered by false positives. Karpersky quietly deletes files causing access violations without giving the user any indication that it’s done anything… making our software look like crap when it’s really THEIRS that is.

    We’re going to have to put a whole page on our website with links to the VirusTotal reports and I know there will still be people not willing to trust it.

    Apparently our support department has to calm about a user a week who calls in… and god knows how many are just not calling but also not buying…

    Personally I think we should sue for slander. They are willfully refusing to accept our hard data that what we are producing is legitimate, and they are damaging our reputations and livelihoods in the process.

  332. boycott_AV says:

    We can boycott the AV companies. Let’s vote for most suborn AV product and put a link in our programs to this poll. We educate our customers this way.

  333. Ali H says:

    I have just had the same problem. BitDefender doesn’t like WM_COPYDATA, which I kind of suspected would be the case. But it doesn’t like CreateNamedPipe() either. So multi-process apps are out of the question for mere mortals? This feels suspect.

  334. Andrew G. Knackstedt says:

    I’ve got the same problem. I have special function key code with most of my programs, the code which runs in the background. Some anti-virus programs show a false-positive on my program since it uses keylogging to access the function keys. I can understand this, but on the operating system and runtime i am using i cannot use any other method effectively. Yay for me. -> Windows Defender quarantining random builds of my program where the logging code has absolutely no changes -> i have to whitelist the item each time it detects the trojan.

  335. Oladele Olanrewaju says:

    I developed and deployed a management decision optimizing application on the website recently. But I’m experiencing similar problem of false-positive alert by some antivirus against my application online installer setup, preventing users from installing the app. Efforts to stop this even with certificate signing could not stop these antivirus false alert. Now I’m going through the stress of educating potential users about how safe and free of malicious code, the application is.

  336. Craig says:

    Maybe it’s time to get a class action going. I compiled a “Hello World” program and then used one of the free
    online file scanning tools and got a couple hits.

  337. Gabriele says:

    As a practical suggestion, if you can identify the specific parts of your software that cause the false positive it might help to put them in separate files and probably processes, to be kept much more stable (not even re-built) than the main program. That way you might manage to cut down the reoccurrence of false positives.

    It’s not entirely unreasonable for antiviruses to block modified versions of a program of which they white-listed a previous version (one might turn a benign white-listed software into a malign one in a successive version). It would be reasonable though to treat these cases differently, it’s fair not to give complete trust to a software author just because a previous version had been white-listed, but you (antiviruses) should keep in mind that it’s very likely it is a harmless update and tell the users so, possibly without taking automatically drastic measures such as file deletions. Of course this can apply only if the files are signed (although it might make sense to give a slightly minor warning even if they are not, as in most cases it will be a legit update from the same author).

    This of course unless the problem is interprocess communication itself…

    But I agree that most of them will begin to give a sh*t about small publishers only after they’ve been burned by a serious class action.

  338. Rick says:

    The bigger issue here is that any software that does not come from a major big software player like Microsoft, Adobe, AutoDesk, SolidWorks, etc – the antivirus instantly become suspicious of it. Basically if you are not a multi-billion dollar company – the multi-million/billion dollar antivirus company will immediately distrust your code.

    Shouldn’t Adobe Flash be considered malware since it is soooooo full of bugs and vulnerabilities that it has to be updated every few days? (Truth is Adobe wants you to install it regularly because they get a few bucks for every McAfee Security Scan installation that happens if you don’t pay attention to what you click)

    Interestingly, we also develop windows based software for programming our hardware.
    Avast Professional has caused a few hiccups, but only a few. I could easily get past it.

    Nice thing about Avast (if you want to look at it that way) is – when you uninstall it, it brings you to a page to ask WHY you are uninstalling it. These get read by developers not by the support team.

    I have uninstalled (then re-installed) Avast on a few machines just so I could get that pop-up to tell them I am removing their software because of too many unacceptable false positives, which is affecting our business

    Most of our software no longer gets blacklisted by Avast anymore.

  339. Jürgen Huhn says:

    I think, the main issue is to find at Microsft… This Company is the provider, owner of the source codes and rights of all API`s on Windows based Devices and Computers.
    So, if you have a MSDN-licence for your Software or other contract with Microsft, all errors on Antivirus disapear.
    Basically if you are not a multi-billion dollar company you need a MSDN-licence for your Software or other contract with Microsft or antivirus company`s otherwise the multi-billion dollar company`s will immediately distrusting your code. That`was my experience for example:

    https://msdn.microsoft.com/en-gb/benefits-overview.aspx

    With an MSDN subscription, you will get all the software and benefits you need to stay up on all things code, including monthly cloud credits, collaboration tools, … BUT YOUR SOFTWAE WILL BE “Open Source” for Microsft!!
    Microsoft tightens MSDN and TechNet licence terms again and again… Monopol..
    https://www.directionsonmicrosoft.com/licensing/2013/06/licensing-sql-server-development-and-test

  340. Tom says:

    This might be of interest.

    How to Report Malware or False Positives to Multiple Antivirus Vendors
    https://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm

  341. Gabriele says:

    @Jürgen Huhn: What have you smoked?

  342. Nick Yates says:

    Same issue with me I have developed plenty of applications most get through but a few are a nightmare when it even comes to testing my binaries on test terminals and then the antiviruses either block or place in the virus vaults highly frustrating.

    my main website is http://www.nick-yates.co.uk – I would have thought since its been up since 2003 that I would not had any issues in the past listed as a safe website that the sources of the applications I develop coming from that site would be safe but I was wrong! … feel like butting my head against the wall sometimes!!

  343. Nick Yates says:

    In addition my applications Genesys Clean Up tool and Keep A secret Suite also get hammered by the Antivirus, saying that the Keep A secret mainly gets through with very little issues though on most antiviruses but Genesys is a nightmare!!

  344. Micah Epps says:

    I wrote and use a post-build deployment tool to do some file ops and windows service ops as part of our CI build. TREND was KILLING my process during a remote unzip. After a recent TREND “upgrade” it is now quarantining my post build application. We are sick of it.

  345. Tech Games 101 Official says:

    Hi!

    I am renovating Batch United alpha 5 to BatOS (I will add credit to original dev). Batch United is a batch file that uses a Bitmap display tool to display bitmap images in the batch language. But i ran into an issue… The main file “OS.cmd” was blocked by avast. Now i am pissed off as hell. Although they have a report false positive button in the virus chest. So i told them that it was a false positive via the false positives report form. Wish me lick!

    Sincerely,
    Liam.

  346. Chris says:

    I just felt its effects now, I was downloading the complete Nirsoft collection, and right before completing the download Avast flagged its a PUA and deleted it. I wish there was a way to flag such PUA as harmless or something. This is such a headache.

  347. Elliander Eldridge says:

    The situation is worse than ever. After having this happen to me, I ran a few tests to see what can cause an antivirus heuristics check to flag the file as malicious. The following is the source for a program that, and I kid you not, was flagged as being a virus by hitman pro:

    #include
    main()
    {
    printf(“Hello, World!”);
    }

    That’s it. That’s all it does. When I contacted them about this to explain how useless their antivirus is if it can’t even tell the difference between a virus and “Hello World!” their explanation was that it’s because it lacks versioning information. So apparently a file isn’t just malicious when it does something potentially harmful, but also when it lacks something that they consider to be a standard. That doesn’t seem very useful to me.

    Interestingly, when I compile C or C++ programs through the command prompt I am more likely to get it flagged as a virus.

    I found your article when searching for ways to avoid this from happening. It may actually require a class action lawsuit against the anti-virus industry as a whole to require them to label heuristics based checks correctly and to give users an option to disable such checks.

  348. Pinchas S Neiman says:

    I am very impressed from this post.

    I think the best solution will be to come over to this side of the game.

    To develop a small simple lite “NirSoft Style” Antivirus utility, that will be able to scan files and say the truth of them, it will look it up in a database managed by a group of trusted developers.

    Basically it should rely on the following
    #1 Known software should match a checksum=good
    #2 Unknown software but not reported as a virus
    #3 reported as a virus

    i am waiting for such a tool because of another reason, all anti viruses are very heavy and are created with silly people in mind, who are installing software/games from all over the web,

  349. N.Felten says:

    I also found my harmless practise program published as a setup and downloaded got a false positive by Microsoft Security Essentials, just because it was an exe file that was being downloaded in a zip file.
    It makes me wonder how sites like download.com can Download exe files with no problems and I cant.

  350. john jones says:

    Windows defender block the page http://www.nirsoft.net/panel/ .
    Other pages seems fine.
    I reported the page as safe.
    Maybe it got blocked because some tools have ‘sniffer’ in it’s name??

  351. Vincent Duvernet says:

    I agree. I have problems with my command line tools (http://www.nolme.com/outils.html) where some of the EXE are flagged as trojan by BitDefender GravityZone and MSSE

  352. Philippe Jounin says:

    Excellent post.

    Quite 10 years after this post, anti-virus detection is still taken very seriously by companies :

    I compiled this big C program under Visual Studio 2017 using static library (/MT), submit the exe to http://virustotal.com and, bingo, get 11 virus detection (mostly Gen:Variant.Graftor.419163) : strchr is a virus !!!

    #include
    int main()
    {
    strchr(“”, ‘ ‘);
    }

  353. Mariano Francolino says:

    Same here, I use AutoIt for Windows Server 2012 R2 Automation programms and get every second day a false positive… have a Platinum Support of Avira called and nothing… still the same

  354. Dave Grossman says:

    I just put up a website in which 100% of the software was written by me (PHP and js). It’s pretty damn sophisticated, but I know it’s 100% clean. But my son says his AV software blocks it as malware. Tomorrow I plan to delete files one at a time to figure out what’s causing the problem. At this stage I can think of 4 possibilities: (1) It has several fairly large non-pictorial images, (2) DNS has had only about 5 hours to resolve the IP address, (3) I’ve hidden all my code behind a directory with an unguessable name so that I can debug without anyone else accessing my code, and (4) Maybe it’s the server’s boilerplate rather than my stuff. We shall see.

  355. Steve says:

    I too get this problem. My software is totally virus and other malware free, I know because I wrote it!

    Norton are very good, I submit software to them, they check it and whitlelistit within a few hours.

    AVG and Avast (now the same company) constantly report that my ‘Software may be dangerous’ it checks it and says ‘Sorry – no problems found’ and then submits to their ‘labs’. I then get a message to say it has been checked and found to be safe. The next time it runs the process starts all over again. What is the point of testing it in their ‘labs’ and then keep reporting ‘It may be dangerous’ . I have tried getting the software whitlelisted with them and they never acknowledge receipt and never reply. Totally unacceptable, there should be some way to get compensation from them for loss of business due to false identifications.

  356. I_am_Dom says:

    I recently got an infection from downloading an old version of quicktime v7.0.2 from an oldapps website. Usually enough, I am very good at keeping safe and although this particular app didn’t completely install due to a corrupted cab file, and which I found suspicious, my AV program [Windows 10 Defender] didn’t pick up the virus at all.

    In fact, if I didn’t do a little digging into the system, this bleeding cleaver virus didn’t show any evidence of its existence, apart from the fact that the quicktime installer had a separate cab file with suspicious files in it, such as iDrive.exe and others that have nothing to do with installing quicktime. These are very likely the files that caused this particular infection.

    It was cleaver enough that I could not see any important System32 and SysWOW64 files and folders from Ubuntu [I have a dual boot with Wind 10 and Ubuntu 17.04], which i used to try and clean up some files that I thought got infected by this virus. I kept getting an error message something about “d3d10warp.dll” being corrupted or similar, which is unusual because why would Ubuntu need a dll file from windows to be able to read the contents of a windows system32 folder?

    My point is that when you bloody need an AV program to do its job, it usually fails miserably. When you want to run a legitimate tool, it can get flagged/deleted/quarantined due to a false positive… and who needs that?!

    Gone are the days when AV programmers would use file hash’s to determine if a file was changed due to being infected or corrupted, but solely rely or depend on virus signature data base to check against, to determine if a file is a virus or a friend.

    To me that is like a dr looking for viruses in the wild and just target them to try and protect the population from getting infected, instead of getting the people’s immune system to work better at identifying and then destroying a virus that tries to infect a person.

    As my good old dr use to say, “A single celled macrophage is smarter than a police man, [who is a very complex organism made of of trillions of cells], because a macrophage always gets its man [targeted damaged cells/bacteria etc] and never an innocent one”.

    THANK YOU for your great, invaluable and continual work, Mr Nir I for one very much appreciate your work and have been using your tools for many years.

  357. konrad says:

    My personal opinion: Antivirus is useless crapware

    I’m a software developer and a power computer user for more than 20 years now. I never really used antivirus software and had no problems at all till yet.

    I admit i tried AV software a few times but had nothing but problems

    (Here is a list of examples)

    – Booting up my OS took a very long time
    – Shutting down my OS took a very long time
    – Copying, moving files, launching processes etc. took many times longer than usual
    – Safe websites got blacklisted, which i couldn’t visit anymore until i uninstalled the anvirus
    – The AV put safe files to quarantine without my permission and very often without noticing me – and i couldn’t stop it even by adding exceptions

  358. Eric Asiedu says:

    I am the creator of vMixTask now know as vTask a 24/7 scheduling and automation software.
    This is really frustrating and it has given my buyers a second thought.
    i dont believe any one will sell a virus.

    am beginning to think its the Av themselves which distribute virus and make you aware of it.

  359. The Creadev says:

    I am beginning to see this problem as I am starting to write programs/games for the public. I find it quite irritating that I can make a perfectly safe program but have to worry that an antivirus will block it simply because I’m not a big publisher.

    I made a game in Gamemaker: Studio. Thankfully, with that game I never received any reports that it was a virus/trojan, but now I’ve moved on from Gamemaker. Now I’m using C++ to make a game as close to scratch as possible. The only problem with this is that if I want to release it to the public, it won’t be recognized as a safe program. I uploaded the original engine I made in C++ to google drive, and when I went to download it on another computer, chrome said it was unsafe to download because people don’t normally download this kind of software (what kind of reason is that? Check if the program is dangerous, not if it’s popular). It was the .exe and a SDL2.dll file. I downloaded it anyway because I programmed it and knew it was safe. Then when I went to execute the file, windows told me that it was an unrecognized file and so I should only run it if I knew it was safe. When I told it to run, it THEN proceeded to scan the file with Window’s Defender and then it executed the file.

    This is such a headache to me as a free, independent developer. How can I get my freeware to the hands of my users if AV makes such a huge deal over it, simply because it has never been seen before or because it returns a careless false positive? Not to mention the fact that after it finally proceeded to scan the file with Window’s Defender, it didn’t detect anything, so why did it make such a big deal? The carelessness of AV is quite infuriating for those who are not big enough to get our programs recognized by AV companies.

    I would totally understand my user’s if they turned back from playing my game because they received so many warnings by different careless antivirus in their browsers and in their PCs. You have to be careful about not downloading a virus, but it doesn’t help the software industry when you put such a limitation on us independent developers!

    Thank you for the wonderful article,
    ~The Creadev

  360. Percival says:

    It’s nice to see that many developers here are on the same page about a possible class action lawsuit. How many of you are seriously interested? Please let me know.

    If enough of you confirm your interest, I’ll look into the possibility.

    I believe if we get enough developers (who have been harmed by false positives) together, we can express our frustration, as well as our collective monetary damages in the form of class action litigation. This would be a sure-fire method for getting big AV companies to listen to us.

  361. Ian Butterworth says:

    I am a long time appreciator and admirer of this site and I wouldn’t be without Nir’s utilities and bevcause I work on lots if different users’ machines I have a constant problme with false positives and having to dig mailpv out of quarantine.

    Good luick with the fight.

  362. User says:

    First of all, I’d like to thank this site and the developer(s) for so many utilities that help us, more advanced users, for the day-to-day computing needs and problems.

    And I came across to this section because I was searching for a way to export FF’s saved passwords, and was directed to the site’s utility.

    I’m glad to have an opportunity to thank all the works have done by the developer(s) of this site in the past years.

    Having said the above, I’d like to share a different view and it’s based on my experience of dealing with information technologies with experts and professionals like most of you, and with common people who do not know anything about technologies.

    The false positive thing is a headache and frustration for most of us, who know what are we doing (most of time). But we might need to consider, as well, about the purpose of why an anti-virus will deliver an alert.

    I’d like to borrow a common phrase used for some arguments: Guns don’t kill people; people kill people.

    Whether one agrees with the above phrase, the point is that, utilities, such as Password Revelation Utility, and many others, can be a lethal weapon, like the above gun’s analogy, particularly when it falls into wrong hands.

    There is no way for the anti-virus program to known who is using the program (e.g. gun), and it could the administrator or a hacker, or someone else.

    And even it is the administrator, s-/he might not know what is s-/he doing or would do a good job for protecting the sensitive information. In many cases, when something went terribly wrong, it’s common for people just blame others for not doing a good prevention job.

    Therefore, though I was also annoyed by the *unnecessary” “false positive” warning, but I see it also as a warning even to a more experienced user, like, – Are you sure about this program, and do you really want to continue?

    Truth be told, I’m very careful about downloading and using programs from the Internet, and as I mentioned in the beginning, I trust NirSoft’s utilities not blindly but because of its reputable practices over the years.

    If it was another publisher or program, it’s more likely that I won’t download in the first place, and if I received a warning, there is no way for me to verify whether is a “false” or “genuine” alert.

    And for the majority of common users out there, they have even far less knowledge than I have, and they shouldn’t try anything like this.

    Please do understand that the Internet is no different than the real world in terms of we can’t tell people’s true intentions and it would take a long time to build a trust between people.

    Before a trust relationship is being built, people are right to be skeptical and cautious especially when it comes to use modern technologies.

    So my final thoughts are: (1) it takes time to build a trust and there is no short cut, (2) developers can also provide a warning, exactly like what this site has done about a possible *false* alert, and leave it to the user to decide if they are going to do it and/or trust the publisher, and (3) I am not technically enough to tell, but is there a workaround way to work with the anti-virus program?

    All in all, I don’t blame the alert since it is target the vast majority who are not techies and there is no way for them to foresee who is using it and for what purpose.

    But I at the same time, share the frustration of the developers.

    And once again, thanks to NirSoft for helping me once again and for your works over the years.

  363. TooNice says:

    Developpers have been too nice too long with major antivirus companies, the false positive problem is now a vast plague : i tested a very small harmless .exe and it gets 30% of virus false positive, that’s how far we are in 2018 !

    We should all come together and hit them with a major lawsuit ! That would force them to clean up their tools.

  364. TooNice says:

    here a virus total test of my new app :

    https://www.virustotal.com/fr/file/2e50e2bddc021128ad052f85d2dd50f22707b6c55fa1e8d0abff731c4318e9f3/analysis/

    25 false positives out of 67, so 25 major antivirus tools are crap !
    How can they be trusted when half says yes and half says no ?

    These companies make a lot of money scaring people, it’s time we go after them !

  365. MarcSamu says:

    Just wanted to say i sent this blog’s link to several lawyer offices in Canada, they seem specialized in class actions. And explained our problem. Awaiting possible answers, we will see.

  366. zok says:

    I believe if we get enough developers (who have been harmed by false positives) together, we can express our frustration, as well as our collective monetary damages in the form of class action litigation. This would be a sure-fire method for getting big AV companies to listen to us.

  367. sene seneson says:

    hi to every one who stay with Nir soft or Nir net….hi to all of you Nir ……
    sorry my English is very bed and no time to fix this comment.
    about false positives…….yes I was next to get big problem of the anti virus many times.
    any way I thing the to much I have to say, but my English is not……
    I do not like many of those guys who stay behind anti virus and false positives.
    so fuck all of them who make false positives.
    harm people to get more money by this false positive…..ok thanks for me and have a nice time to all of you.
    sene 25/08/2018

  368. Jerome says:

    I’m really sorry about that.Surely because this can be used for “bad” things,but they don’t think so many guys need those tools(Seriously…).So i think they maked a very bad decision…(fustrated emoji):'(

  369. SolderGirl says:

    I am really annoyed with Avira Antivir lately.

    It keeps removing my Crypto-Miners, even though i made an exception for them in the config.

  370. TooNice says:

    Hi Everyone,

    we’re in 2018 now and i see some hope ! I think we’re slowly winning the battle against all virus scanner companies. The situation has become so worse than even in a big national german newspaper, they openly advise the public not to install virus scanners anymore because they are often harmful, they say Windows Defender is enough.

    http://www.faz.net/aktuell/technik-motor/digital/so-schueren-virenscanner-unbegruendet-panik-15755688.html

    The comments below the article show that the public is still scared to follow this advice, however this seems to be the new trend. Maybe we will get rid of virus scanners in a few years and be able again to develop our softwares undisturbed !

  371. Nick Stevenson says:

    I’m trying to install Best Crypt Volume Encryption but keep getting a “false positive” from Microsoft Windows Defender. Fortunately Jetico have advised how to ensure Windows Defender can exclude this installation.

  372. Asgerhj says:

    Bitdefender for Mac v. 7.1.0.6 just deleted produced.exe from the Downloads folder 🙁

  373. Asgerhj says:

    I ment to write produkey.exe

    Sorry for the auto-correct.

  374. Asgerhj says:

    I meant “Produkey.exe”
    Stupid auto-correct 🙂

  375. Jason says:

    Well even Kaspersky actually admitted that this “should” be fixed in next dBASE d/l.

    The features of false positive apply in Exchange Email too!

    I have often wondered if the MS ADOBE etc companies encourage the AV companies to intentionally report a FP on smaller better competitors like Nirsoft, and others by knowingly reporting based on URLs stored by them?

    Don’t forget the “big” companies are scared of losing their market share to the “freeware providers” and the Free Licensing programmers who often produce much better and more user friendly solutions.

    Remember the days when MS said Linux would never compete with them 🤔

  376. TooNice says:

    The link below is very helpful : it contains information how to signal false positive to many virusscanner vendors (unfortunately not all) :

    http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm

  377. Rashid says:

    Hi
    Very comprehensive information about Antivirus.I have Sophos antivirus installed in one of my Workstation.Its ridiculous that it is blocking even basic Windows application such as MS Paint.Most of frequently use appplication firefox,chrome, WinZip etc are qurantined.Admin of sophos has no answer why it is blocking a valid application.Its a false alarm

  378. Codrin S Arsene says:

    This is so true. We get false positives all the time. And it really sucks. Because at the end of the day, it’s better to get false positive AND real issues than not to be spyware on your website to begin with. I do wish one antivirus company can figure it out one day (maybe with the help of some powerful artificial intelligence algorithms) on how to eventually avoid false positive all-together (or at least decrease their frequency).

  379. David Rees says:

    On 9th March 2019 Windows Defender now reports and quarantines produkey (1.93 and 1.83 64bit at least).
    reports as containing “PUA:Win32/Presenoker”.
    definitions updated on 9th March are:
    1.289.734.0 and 1.289.755.0.
    Running Win10 pro v1809, build 17763.316

  380. Rik says:

    Great article and agree 100%.
    I have to develop, not to waste time after idiots that makes exaggerated AV to look more secure than the competitors.

    Every time I release an upgrade it’s a pain.
    In the end, on the upgrade software I’ve put a flashing text saying:
    “Pause your Antivirus to be sure it doesn’t damage the upgrade”
    and a button that explain WHY this happens.

    On the website I’ve also put a link that runs the test on the exe and on the website, so anyone can see the result on VirusTotal regardless of what their specific AV.

    Probably if there were class actions one after another, and tons of legal actions for libel against those mental AVs/services that easily shoot false positive for nothing on software and websites that are actually 100% clean, they would think a bit before saying bullshit that has a very NEGATIVE impact on a software house.
    A false positive in the eye of a loyal customer it’s not a huge problem: if he scares can phone and we explain the situation; but what about visitors? You don’t even know how many you lose!

    I think there should be some almost “automatic” law: you AV says there is a virus? If it is not, you have to pay a minimum compensation as soon as the developer/software house ask for that.

    PS: not counting the damage to the customer himself. For example, when they forget to follow our suggestion to pause the AV, they could end up with our management software out of order, with some DLL deleted by the AV, and that’s a damage to THEIR work because it takes time to be restored.

    I think tons of legal actions would solve the problem! 🙂 If AV companies have nothing to pay for their wrongdoing they would never stop doing that.

  381. Vivek Garware says:

    I am a software developer. I develope softwares in vb6, vb.net, c#.
    But NetProtector antivirus which is a popular (average quality) antivirus here in india detects many times my vb6 application as virus. At the same time world class antivirus products such as norton, Kaspersky, Avira, Bit defender never detect any virus. Clearly this is false positive detection.
    When we complain and explain them that it is not affecting os files or customer data and it has no any harmful thing then firstly they say exclude the file from scan. When we say we have many customers there and each time it is not possible to explain and say everyone to exclude the file from scan. So you do the necessary exclusion or whatever in your antivirus program. Then they temporarily do it. But after some days same problem arises again.
    So I request through this forum hoping net protector guys might be seeing this site, please get rid of such false positive detentions..

  382. marc samuro says:

    Some antivirus NEVER flag my produt as false positive whereas for others i have to send an email at each version to be put on white list. Unfortunately Microsoft Defender, which should be a reference, is among the bad products : they are so strict they flag everything they don’t know as virus.

  383. marc samuro says:

    when i release a new version of my product, i have mostly trouble with : Microsoft Defender, Avast, Avg, Gdata, BitDefender and McAfee. So don’t buy these, they are not serious and rely mostly on their white exception lists. Other antiviruses rarely or never block my products.

  384. Carl Yos says:

    I have used your software with success in the past. Today Symantec Endpoint blocked the download. I disabled it. Windows Defender jumped in. I turned it off or so the interface said. It still blocked the download.

    One item of note. I expected to download a single zip file into my downloads folder. To my surprise two additional files were downloaded to my Win32 folder. Unwaders and Unwaders.C!ml. My AV took particular exception to those files.

  385. CJ Kershner says:

    I recently downloaded RouterPassView to try to regain access to the GUI of an ASUS RT-N56U that I had set up for my family to ameliorate poor coverage from a combo modem/router in a bad position.

    Once the new network was in place, I erased the old password… so when they gave me the router back (because they’d gotten a newer, better one) I was able to restore the old settings from a save CFG file, but I couldn’t remember what the original password was and, therefore, couldn’t update any of the settings. This particular pieces of equipment was previously connected to my small business server and while it worked the inability to see traffic or change anything was driving me crazy.

    So I downloaded the tool and tried to run it. Avast Business Pro running on Windows Server 2016 Essentials immediately quarantined RouterPassView.exe as infected with Win32:Malware-gen

    I’m not experienced with IT/networking and the flag made me nervous, despite the internet’s reassurances the software was clean, so I scanned with Avast Business Pro again, this time on a system running Windows 7 Pro; no issues were raised. Still unsure, I attempted to run the exe in Sandbox mode; the program launched, but when I tried to load the CFG the system blue-screened.

    Finally deciding my two options were take the risk or leave the router inaccessible, I ran the exe on its own, loaded the CFG file, and… voila! There was the password I needed (thankfully I remembered the username). HUGE RELIEF.

    I’ve reached out to Avast about fixing the false positive, especially since it only appeared in one place and not the other, and I want to say thank you to Nirsoft for building the tools and being upfront about the issues users might experience.

  386. Сватбена фотография says:

    I have used your software with success in the past. Today Symantec Endpoint blocked the download. I disabled it. Windows Defender jumped in. I turned it off or so the interface said. It still blocked the download.

  387. Сватбена фотография says:

    I’m not experienced with IT/networking and the flag made me nervous, despite the internet’s reassurances the software was clean, so I scanned with Avast Business Pro again, this time on a system running Windows 7 Pro; no issues were raised. Still unsure, I attempted to run the exe in Sandbox mode; the program launched, but when I tried to load the CFG the system blue-screened.

    I have used your software with success in the past. Today Symantec Endpoint blocked the download. I disabled it. Windows Defender jumped in. I turned it off or so the interface said. It still blocked the download.

  388. Коли под наем says:

    So I downloaded the tool and tried to run it. Avast Business Pro running on Windows Server 2016 Essentials immediately quarantined RouterPassView.exe as infected with Win32:Malware-gen. I have used your software with success in the past. Today Symantec Endpoint blocked the download. I disabled it. Windows Defender jumped in. I turned it off or so the interface said. It still blocked the download.

  389. Richard T. says:

    I have a Win 7 Pro 64 bit system and use Avast anti-virus.
    At first it wouldn’t let me download WebBrowserPassView v1.91, but I got round that. I found that Malwarebytes also said it was infected etc. etc. I was not allowed to run it, but it seemed to be Win 7 that was stopping me and telling me it was infected. Then I had a brainwave.
    I ran AlternateStreamView v1.36 and deleted the Zone Identifiers!
    WebBrowserPassView now works perfectly!

  390. GreyHatLabs says:

    I’m having the same problem. I contacted them, they told me the conclusion was that my software is clean, quoted me a few days, and almost a month later they are still showing up on virustotal. Why? How long does it take? I had to put screenshots on the site to show people, which they still may not buy into. This is aggrevating. One of them refused to even investigate, while trying to bribe me into buying their software just to fix the issue. They will eventually get sued by someone else. What should I do? Any advise? is it pyinstaller causing the issue? What’s the deal here? I put a link to this article from my site to as well for backup. I hope that’s ok. I hope the link to my site in this comment doesn’t hurt my seo? I assume you’re sites a pretty good rank tho and may help. Any advise would be appreciated. I hate this 🙁 I want to make money in software developement and now these poeple are hurting my reputation which hasn’t even had time to flourish yet. It sucks.

  391. Aaron says:

    Pretty much all of my applications get hit by this. Today I tried to download one from my website to check something from a user perspective. The download was blocked by Edge. I allowed that, but then Defender deleted the downloaded file. Allowing the file did not make it reappear in downloads, so I had to redownload it, and Edge blocked it again, the message said that it was harmful software.

    After it downloaded the second time, Edge blocked it a third time, now saying it could harm my computer. I had to hit keep and yes I really, really want to do this.

    Now, I go to my downloads folder and run the installer. Smart screen comes up and says it protected my pc. I had to hit the options thing and run anyway.

    Next, after the installer finishes installing the program, I go to my desktop and click on the shortcut to launch it. The shortcut points to a launcher which self updates the program before actually launching it. The self updater attempted to download a new copy of the main executable for this program, and failed. Defender had blocked it again. I had to go hit allow for the new detection, and use the desktop shortcut for my program a second time. On this go round, it was able to update the main executable as designed and finally, finally, the program was able to run successfully.

    I’m a totally blind developer creating games playable by blind people. I also create software that can enhance ease of use of certain things, instance SpeakDropbox, which announces status of Dropbox icon out loud as it changes. Most of the games I’ve worked on are commercial. We sell them for a profit. We’re a two man company, and I can say with a straight face that the malware false positive issue is very rough on our business. It impacts customer relations, it prevents customers from using our products, every step of the process can and will be impacted.

    Antimalware companies have us by the balls, and it’s of course our fault. We now have to report our programs as false positives for every single update to try and slow the nonsense down. Yet we’re the first to hear about it when x or y antimalware program gleefully deletes or blocks our program. That’s when we get contacted and now have to explain the situation to a disgruntled paying customer of ours., that is, paying if they got that far.

  392. Lucius Day says:

    I just had my first experience with anti-malware “doing something” I didn’t want.
    Every time I tried to download Mail PassView, “something” deleted it.
    I’ll study the info available here.
    I need your program.
    Thanks,
    Lou Day

  393. alan davies says:

    My mailbox has been interfered with & I cannot access it. I need to read the password as it has been changed, an online virus checker removed mailpass & Zonealarm is stopping it’s reinstallation. It also seems to block installation of the nirsoft program. Virgin help seem completely useless so left in limbo!

  394. art says:

    I get the download past the Avast antivirus program but Windows says it is not a valid Win32 application. Still working on that one.

  395. guest says:

    Everybody should report false positives issues in the antivirus twitter accounts!

    If complains about false positives is constantly and publicly seen in their twitter accounts, that will really hurt them for sure!

  396. David says:

    Hi!

    Just an FYI. I had a real old copy (2009?) of sysexp_setup.exe lying around on my system. It’s been there for years. I’ve also been using Webroot SecureAnywhere for years. Today, WSA suddenly decided that SysExporter is malware.

    Good luck.
    D.

  397. Macy says:

    This is a genuine problem for small time devs. I mean, we work and work and work only to see that our software has been tagged as a virus. Nothing’s more aggravating than to see the result of your hard work and toil being flagged as a virus by big players. I’m a mac user and usually download software from macysoft.com. Recently downloaded avast Mac security from here: http://macysofts.com/avast-mac-security-free-download . It didn’t flag my software as a virus but many other anti-viruses did. Companies should be more careful and something should be done about this problem.

  398. Danieal says:

    I have used your software with success in the past. Today Symantec Endpoint blocked the download. I disabled it. Windows Defender jumped in. I turned it off or so the interface said. It still blocked the download.

  399. Joep van Steen says:

    And yes, this weekend Microsoft Defender decided to flag my tools as Trojan all of a sudden. Submitted for re-analysis .. 24+ hours later the status on these is still ‘pending’ .. Nice. Cloud based intelligence they call it .. I call it cloud based incompetence .. I wonder if there are any no cure no pay lawyers who see some bread in this.

  400. GeekinTexas says:

    Suddenly on April 25, 2020, Windows Defender decided that ProduKey.exe was a trojan. The date on the file is May 12, 2011 and matches exactly what’s in the original .ZIP file. So all of a sudden, nine years later it’s dangerous? Hahaha. Microsoft would rather have you buy a new license than use your previous one on a new computer, so they’re flagging useful utilities as trojans?

  401. Dr_Evil says:

    Problem noticed with Win. Defender: almost all password recovery tools treated as infection (Trojan).
    Will be reported.
    Bear up.

  402. Laszlo Botka says:

    Today (2020.05.08.), I made a backup copy of PasswordFox.exe to another folder and got the following error:

    AVG
    Threat blocked
    We’ve blocked PasswordFox.exe because it was infected with
    Win64:Malware-gen

    I use PasswordFox version 1.65, downloaded it on 2020.05.06. and I successfully unzipped it immediately.

    Now I get the same error,

    – If I unzip PasswordFox.zip
    – If I run the originally unzipped PasswordFox.exe

    So AVG changed in these two days
    I created an exception, so it runs fine.

    PasswordFox version 1.60 runs fine.

    I think one needs a lot of patience to use AVG.

  403. Laszlo Botka says:

    Virustotal detections:

    Endgame Malicious (high Confidence)
    Kaspersky UDS:DangerousObject.Multi.Generic
    Malwarebytes HackTool.PassFox
    Qihoo-360 Win32/Trojan.PSW.d50
    TrendMicro HackTool.Win64.NirSoftPT.SM
    ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic

    6 engines detected this file, out of 71

    Many seem to be running to find something, Nirsoft appears directly at Trendmicro.

  404. GartenZisternen says:

    I am surprised by how many share the same opinion on this website. Glad I am not alone! 😀

    But how come I met so many IT experts and developers in real life suggesting I use Antivirus Software?

  405. Matt B says:

    Today I tried to download nirsoft network password tool to recover a shared drive credentials. Google Chrome refused to download it. Microsoft Edge did download it. I had to disabled Norton 360 on the computer to finally get it downloaded. Network credentials revealed. All good.

  406. Tom says:

    Malwarebytes flags file hacktool.agent.nirsoft

  407. Mike says:

    MS security essentials had been blocking your produkey on my systems for months. It’s very annoying. I have tried excluding the exe file and have excluded the entire directory that it resides in, but its still tries to block / quarantine or remove it.

  408. P says:

    Windows Defender now flags ProduKey as “HackTool:Win64/ProductKey.G!MSR”, as of 10/12/2020. I had an old version, dated 6/22/2016, in a zip file on my computer, which it’s been scanning weekly for years, & only now decided it doesn’t like it. Sorry you have to deal with this nonsense.

    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=HackTool%3aWin64%2fProductKey.G!MSR&threatid=2147765679&enterprise=0

  409. Foxy says:

    Frankly I am quite glad it flags the password viewer. I ran into an actual trojan and your tool was being used to extract/possibly report the resulting exported txt over UDP. It took a while to realize this wasn’t the most egregious part of it, because I wasn’t familiar with this software stack. Be warned, your program is being used actually maliciously too. Please safeguard it if you can; I don’t know how you would while keeping the utility, however.

  410. Foxy says:

    Likely, the fact that it gets included WITH other actual trojans that report/install services and the fact that it pulls passwords silently if used a certain way leads to your software being flagged. Rightly so. Email me if you want the link to the source trojan; no, I am not innocent, but I’m not paying $30 for a cursor editing program. I’d rather get a trojan than get scammed over that.

  411. roy giacone says:

    To let you know Norton360 reported “wifiInfo.exe contained hacktool” and quarantined it. First time I’ve seen this and I’ve run your program for 5 years.

  412. Rahul says:

    I am surprised by how many share the same opinion on this website. Glad I am not alone! 😀

    But how come I met so many IT experts and developers in real life suggesting I use Antivirus Software?

  413. Peter Dierich says:

    I am glad that there is ChromePass!!

    Unlike the unwieldy function of Google Chrome you get a clear list and can save your passwords separately.
    Since I have used ChromePass in the past I trust your program and disabled the virus protection for a short time, ran ChromePass and saved the list as *.html file. As mentioned above, some people don’t want you to get their data for free – oh go on with the program because those who depend on it don’t have a free alternative!
    Best regards from the Saarland
    Peter

    Translated with http://www.DeepL.com/Translator (free version)

  414. Don Wiss says:

    Malwarebytes updated yesterday. Last night PasswordFox, after being on my PC for years, got flagged as a potential virus. I did not quarantine the program.

  415. Don Wiss says:

    I tried to update to version 1.66, downloaded from this site. Every time I tried to copy the exe file out of the zip file, Microsoft Security Essentials sucks it in.
    Claims: HackTool:Win32/Passview!MSR
    Alert level is High
    Recommended action: Remove this software immediately.
    This is their further explanation:
    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=HackTool%3aWin32%2fPassview!MSR&threatid=2147744267

  416. P W says:

    I tried unzipping the complete Nirsoft package and things like “Trojan:Win32/Ymacco.AB59::Severe” and Hacktool:Win32/Passview!MSR::High” were detected by Microsoft builtin scanners

    I’m guessing that Passview is ok, but is Ymacco.AB59 expected to be part of the package?

    I verified that my MD5 hash of the downloaded zip file matched the published MD5 code

    Is there a complete list of these things, mentioning which ones are expected?

    Thanks in advance

  417. OTOH says:

    The other side of the coin for a more balanced discussion – apparently the person who wrote the article below said he tried to contact you with detailed information about a DLL-hijacking vuln in your software but got no response from you :

    https://borncity.com/win/2020/04/16/dll-hijacking-vulnerabilities-in-nirsoft-tools/

    If the above is true, giving no response doesn’t help your case and only serves to make your article heading sound more like a mere gripe than anything else.

    It takes 2 hands to clap 🙂

  418. Zerow says:

    Once again after buying new machine and installing from scratch up-to-date Windows on in, I became a victim of this problem. My free Avast persistently blocked a small piece of software that was serving as a bridge between two other bigger programs [details are available at
    https://community.mp3tag.de/t/antivirus-avast-problem-when-sending-files-to-mp3ag-with-mp3tag-total-commander-button/51459 ]. So for now I have switched to free COMODO – but I fear that with time it will also start driving me crazy, as so many other protection programs before these two throughout the years

  419. Jeff says:

    I’m here because I got the Win Defender notice that it wants to delete mspass. I’ve also been notified from ProduKey (which I use and is a GREAT utility).

    Before I get off track, let me just tell everyone how to fix Defender from deleting your great utilities. There’s an excellent article for how to tell Defender to keep it’s hands off a certain folder. Then you can run a manual scan periodically to re-certify nothing has crept into that folder:

    https://thewindowscentral.com/msmpeng-exe-high-cpu/#Steps_to_be_followed_by_Windows_10_users

    I recommend to only point it at one leaf folder at a time (a specific folder e.g. “C:\EXEs\Nirsoft”)

    I haven’t used all of your utilities, but I really appreciate your design and implementation – simple to use, effective, efficient, documented and many are free to use.

    I used your domain utilities to handle a complicated task of figuring out the status of domain name and certificate expirations for about 400 domains that I had the displeasure of managing for a while. It’s complicated to explain, but what a giant hairball of a mess how our Internet is managed! Good grief!

    Your tool was one of 3 or 4 (maybe more – honestly I don’t remember because it because it became too complicated, but ultimately worked really well).

    This was for an email / SMS TXT marketing service for small businesses and when customers signed up, they were given the option to manage their domain and cert (big mistake) or let the service manage their domain and cert. Well obviously most small business don’t have the time or knowledge to handle their own tech. So all of a sudden their service would stop and surprise surprise! They forgot to renew their domain or cert and one of my colleagues or I would get the dreaded PagerDuty call in the middle of the night…

    One funny aside – a fair percentage of the domains were found to be coopted by Chinese porn sites. The gentleman that was evaluating this big problem before I automated the process was having a hard time (let me correct that – he was having a difficult time) explaining what he was finding! When he finally said what was taking over the business sites – porn – we all laughed our asses off! He was trying to be so delicate and professional (I’m laughing right now thinking back on it)!

    Anyhow – that’s where your very helpful tool came in and why I like your software design. Batch and / or UI interfaces. Beautiful!

    I used a script to loop through the big list of domain names and figured out the expiry status of domains and their certs.

    I called your utility from a batch (PowerShell) script to aggregate all the pertinent info to avoid disruption of service. (I’m happy to share the script and some documentation so maybe it becomes your next project – I’ll NEVER have the time because I’m writing 2 books on the cloud, which is what I should be doing at this very moment).

    The notes I found:

    It’s broken into 3 types of info using domain names from Route 53 with & without prepended “www”.
    Note: More accurate data is returned without www in lookups.

    There’s
    – DNS lookup: that returns the IP Address if available – Success & not-Success.
    – Cert lookup: returns Issuer Name, start/end date, Has PrivateKey (needed for x-fer), Subject Alternative Name list, etc. – Success & not-Success.
    – whois lookup: returns registrar, start/end date, name servers, etc. – Success & not-Success.

  420. keyanalyzer says:

    I am surprised by how many share the same opinion on this website. Glad I am not alone! 😀

    But how come I met so many IT experts and developers in real life suggesting I use Antivirus Software?

  421. Goodman says:

    Hey there, Nir Sofer,

    I think you (all small developers facing the same problem) should collectively file a lawsuit against these stupid antivirus companies and could state your problems in the court and bring about a law that requires these companies to mandatorly display complete information of any software flagged as malware by them to the user and have an easy was to report false positives in their websites and must resolve the issue in a fixed amount of time and until then, not flag it as malware and just flag it as being processed for false positive. These so called antivirus companies have no right to defame you without evidence and proper disclosure of why a product has been flagged as a malware. I am sure that this is possible to implement by any antivirus company and people will benefit from it. Make all your points in courts and see what can be done.

  422. robinso says:

    I am an independent Andriid App developer with a number of free apps on Android, you would not believe my surprise when one of my free apps was Tagged by Avast AV as “suspicious”. I wrote to them offering my source code for analysis provided they maintained confidentiality.
    I am yet to hear from them, these conceited corporations just want to wipe out individual developers, as they cannot stand someone offering a free or open source app when they are being paid hefty money for same, that is the crux of the issue here…

  423. Walt says:

    This has been a problem for decades. I used to distribute “nuke.com” – a little program that did the equivalent of “rm -rf” – with an internal software package that ran on MS-DOS because MS-DOS didn’t have comparable functionality. It was a real hassle just moving that file around on corporate developer laptops/desktops because it was recognized as a virus. Not because it was, but because it could be used for malicious purposes.

  424. Tony says:

    I am totally agree with your article. In eyes of AV companies, you get a gun = you must a murderer.

  425. Thorsten says:

    I am working as a software developper in a research institute. After I have sent my software to colleague it has been blocked as a virus. Installation was only possible with antivirus software switched off before.

  426. ChrisR says:

    As a small developer, without digital signature, I fully support.
    To avoid answering again and again to users, here is what I have been writing for some time now.
    In reference to your blog, as you are a well-known developer.

    Note AV: By its nature, Win10XPE uses programs or applications which uses functions at the core of windows.
    Some AntiVirus mark them as positive. These are false alarms.
    An example with NirSoft’s ProduKey to Recover lost Windows product key, 12 engines detected this file as Unsafe or Hacktool, that’s not true.
    You can read this blog written by the same author as ProduKey: Antivirus companies cause a big headache to small developers.
    Blog written in 2009, by a well-known developer, the situation did not get any better.
    It shouldn’t be like that and it’s really frustrating. The work of AV companies should be better.
    They should be reprimanded for this, we are their customers.
    I can only advise you to put an exclusion on the Win10XPE folder.

    We must continue to fight them by saying, by writing everywhere that they are bad, unreliable… to force them to improve.

  427. Bart says:

    Just today I found out that the tool that has recovered some of my lost files multiple times was quarantined by Bitdefender.

    ShadowCopyView.exe was detected as “Gen:Illusion.PUP.Nirsoft.D.1010100”. I have submitted it for analysis. Hopefully they will revert this false positive.

  428. Aspacid says:

    Acronis Cyber Protect Home (build 39703) classifies ProduKey as Gen:Variant.Application.NirSoft.249982 and quarantines it. Produkey version is 1.9.7.5.
    I’ll try contacting Acronis about it.

  429. RanuKanu says:

    Hi.
    Have the ‘false positive’ problem with productkex.exe, which I use in the WSCC-System-Tool-Collection.

    I write to Avira, but as you had written above, I got only an automated answer (its infected by SPR/ProductKey.A).
    I dont pay for my AV-Programm, so unfortunatly the ‘false positiv’ will not be fixed :/.

    Needless to say, that the way to include an exeption into the AV software is also burried DEEP within it. :/

    Anyway, thanks for your great Tools, which helped me a lot over the time ;).

  430. Spencer says:

    I use windows defender because it seems to do the job and is free. However it creates false positives on pretty much all of your password programs.

    At least for defender there is an arcane convoluted process by which you can allow your programs. I succeeded by searching for “allow program identified as a threat”

    The first few attempts did not work but I stumbled on the way to do it and now they all work. Unfortunately I can not explain the successful process because I did not take notes. Basically you need to open windows defender and look for threat history. Identify the ones associated with Nir programs on the basis of the file location and allow them using the actions dropdown. I hate inaccurate instructions but these might be. Something close will work

  431. Mike says:

    I develop a small accounts package for Windows called Adminsoft Accounts.

    I submitted a comment on this site, literally on this page, way back in 2014. Moaning about how anti-virus software frequently gets in the way of my users installing and running my software.

    Sad to say, around 8 years later – NOTHINGS CHANGED!!!

    Anti-virus software is still a complete nightmare. It can stop my software from updating files, it can suddenly decide to quarantine one or more files, it can even shut down the application (this sometimes happens when the app is using the internet). I always request users set the exe file, or better still the folder, to be safe, trusted, exempt (or whatever terminology their particular anti-virus package uses), which resolves the problem. Except many users don’t follow this advice. Maybe it’s a trust issue? After all, Adminsoft is a tiny company.

    A white list database that’s used by all the main anti-virus products would be REALLY USEFUL. Can’t see it happening though.

  432. Getitpc says:

    This has been a problem for decades. I used to distribute “nuke.com” – a little program that did the equivalent of “rm -rf” – with an internal software package that ran on MS-DOS because MS-DOS didn’t have comparable functionality. It was a real hassle just moving that file around on corporate developer laptops/desktops because it was recognized as a virus. Not because it was, but because it could be used for malicious purposes.

  433. LZ says:

    I cannot believe after ten years the antivirus companies are still doing the same thing. I tried to use your controlmymonitor tool but got blocked.
    Anyway, I really appreciate you and other small developers for your continuing contribution to the community despite of these road blockers.

  434. Nossy says:

    Thank you for everything you’re doing. And all of these reasons (and more) I delete Windows defender/smartscreen from my system on every new install. Any dodgy software, I either run in a VM or a sandbox. And yes to be fair, if someone can’t tell the difference between a fake virus or a real one, they shouldn’t be using software. On that note, how do you spell virus? Norton, Mcafee, Eset etc.
    On another note, see 25 reasons why Windows is NOT a virus:
    https://www.techrepublic.com/forums/discussions/here-are-25-reasons-why-windows-is-not-a-virus/

    One last point, virus/ransomware makers should be the ones running the dev team at Microsoft/Apple, their code is free, it runs great,and its small and optimized.

  435. to @getitpc says:

    that sounds like a great program, can you post a link? And everything can be misused, the story goes that Kalaachnkov (the guy who made the AK47) wished he would’ve made a lawn mower instead, when he saw his invention being misused by terrorists. Also windows defender flags other microsoft products as a virus, like the deployement script for office lol, that was when I removed it from my system.

  436. Chris says:

    Here I am in 2022, still having the same problems with Bitdefender and other well known A/V & anti-malware software deleting or quarantining your excellent utilities without notification.

    It seems your most useful (to me) utilities are the ones most likely to be blocked, with the procedures to prevent blocking during a download, or restoring your software from a quarantine that will be wiped in 30 days or less, making me dig through layers of settings to try to find where it’s hidden the super secret settings I need to unset in order to obtain the software I want to use on my computer. I believe I have the right to use what I want on my PCs without something being deleted or disabled behind my virtual back.

    I’ve used your software for years and I can’t tell you how many times it’s helped me and the countless others I’ve helped using your utilities. Thanks very, very much for helping not just me, but many thousands of other users through the years…for *free*! Writing this has made me realize just how valuable your software has been and will be in the future, serving as a reminder to donate as much as I can to hopefully see you continue your work in spite of the frustration that must accompany it.

    I appreciate what you’ve done despite unresponsive A/V vendors who seem to care how fancy their UI looks, and not necessarily how well their product works. Your stuff just works as intended, without a cluttered interface or hidden (disruptive) features.

    Most Thankfully,
    Chris

  437. RocZi says:

    Today I download and unpacked the zip file of NirLauncher nirsoft_package_enc_1.23.68.

    My Avira Security immediately quarantine routerpassview.exe
    Threat name : PUA/Agent.RO

  438. RocZi says:

    After unpacking NirLauncher zip file, I restored the quarantined routerpassview.exe. Avira Security auto list the file path in its file exclusion list.

    I then did 6 manual scans with free anti-malware tools :
    Avira Security – now fully clean. No threats found.
    Malwarebytes Free – detected 36 threats from the exe files
    Emsisoft Anti-Malware – fully clean. No threats found.
    SUPERAntiSpyware – fully clean. No threats found.
    Spyboy – fully clean. No threats found.
    Zemana Antimalware – 6 exe files failed to be scanned. the rest are fully clean. No threats found.

  439. Daniel Smith says:

    thanks for sharing fine information. I have to develop, not to waste time after idiots that makes exaggerated AV to look more secure than the competitors.

    Every time I release an upgrade it’s a pain. When i try to upgrade software it’s show me – Pause your Antivirus to be sure it doesn’t damage the upgrade.

  440. Franck Black says:

    Hi,

    Effectively, these applications block and in particular for me, PstPassword who helped me for a pst of a user who left without giving us his password:
    -Chrome
    -Brave
    -Malwarebytes Premium
    -Windows Defender

    Thank you very much for your works

  441. Kathleen Neumayer says:

    I’m no developer. I have not done any computer programming since high school. That was a few decades ago.I’ve noticed, however, that nothing has changed as far as how they’re created. The “Why” is what has changed. Which brings me to my point… I’m definitely with you on the whole “bogus virus detected” reports. I’ve been trying to download ProduKey but it continues to be blocked even though I turn of the blockers in the settings. It’s extremely irritating because I’m trying to retrieve the product key so I can reset my laptop. It’s got entirely too much extra crap on it and I’d like it to run smoothly. The only thing I can think of doing to get past this is to install a different browser and try again. Just more unnecessary junk. Granted, this response is an incredible amount of years after your initial post. But it seems that some things truly never change. I hope that changes soon. Like immediately. One can only hope.
    Beyond that, thank you for sharing your talents with the world. We need more people like you. People that use their gifts for good instead of evil. As for those who respond with remarkd like the “be ashamed”… SHAME ON YOU!!! Get a grip people! These utilities wouldn’t come so highly recommended by the intellectuals that offer help and support for the average joe. Perhaps try having an original thought BEFORE you email a derogatory response. Ya know, THINK BEFORE YOU ACT.
    Just a thought.

  442. Jacob C says:

    IMO, after seeing Apple reap huge profits from its walled garden/captured market approach, MS and its kiss-ass AV software developers, have done their best to coral Windows users into the MS Store. The offering of a MS antivirus software was the beginning, I think. When ulterior motives pervert the stated intent, the only certain consequence is loss of trust. It is to be expected since MS is a for profit company. At this point, I need to decide whether to just play in their system or completely move to open source like Linux–which has been under attack at all levels.

  443. Shaun Nicholls says:

    I’ve tried downloading NirLauncher Package 1.30.3 following an article in the latest Computer Active magazine recommending it, but every time it fails as Windows Defender says it detects a Trojan – Trojan:script/Wacatac.B!ml and refuses to download it and deletes the whole package, and I can’t find a way to allow it.

  444. Velvet_Vader says:

    I’m in awe that a white hat like you, reverse engineer of notoriety, is still distributing your zip files, passwordless in some cases. I would compress everything in RAR or 7z, and I would still make it very clear on the website with each download a warning: DISABLE YOUR ANTIVIRUS SOFTWARE BEFORE RUNNING THIS TOOL. Unfortunately, there’s no way to go against it, and if the person is desperate or just needs to somehow use the tool, disable the antivirus *****. Unfortunately, with the arrival of Ransonware, viruses have become of gigantic proportions, and criminal, even more than bankers. So what I can say to you is that neither the operating system company nor the antivirus companies are going to be moved by this. A hug!

Leave a Reply