Repository to help security vendors deal with false positives, improving their detection engine, and centralize information for software developers making it easier to submit false positives to AV companies.
The repository lists the emails, and websites security vendors (antivirus companies) used to receive false positive reports. it's an effort to facilitate communication between software developers and security vendors.
AV companies are not responsive? Look at the bottom for additional details.
A few things are basically required by all security vendors, and would likely lead to better communication. So make sure your email includes the following when sent.
A flagged detection on virustotal does not mean, that the commercial version of that security vendor will detect/flag the file the same way. Security vendors usually configure their VirusTotal implementation to be more sensitive/differently than their actual product
Quote from this VirusTotal Q&A
[*] Emphases not present in the original text and added for clarity.
In addition to the information in the table below, VirusTotal also has their own listing of contact information for antivirus companies. You can find it here.
ENGINE | Contact |
---|---|
360 | kefu@360.cn, https://open.soft.360.cn/report.php, http://sampleup.sd.360.cn/ |
Acronis | virustotal-falsepositive@acronis.com |
Ad-Aware (Lavasoft) | https://www.adaware.com/report-false-positives, malware.labs@adaware.com |
Agnitum | trojans@agnitum.com |
AhnLab-V3 | v3sos@ahnlab.com (recommended), e-support@ahnlab.com, samples@ahnlab.com |
AlphaMountain ai | https://www.alphamountain.ai/contact/ or support@alphamountain.freshdesk.com |
Alibaba | virustotal@list.alibaba-inc.com |
ALYac (ESTsecurity) | esrc@estsecurity.com |
Antiy-AVL | support@antiy.cn, avlsdk_support@antiy.cn |
Arcabit | vt.fp@arcabit.pl or virus@arcabit.com |
Avast | https://www.avast.com/report-false-positive, virus@avast.com, DL-Virus@gendigital.com |
Avira (no cloud) | https://www.avira.com/en/analysis/submit, novirus@avira.com |
AVG | https://www.avg.com/false-positive-file-form, https://www.avg.com/us-en/whitelist, http://www.avg.com/submit-sample |
Babable | obu@babable.com |
Baidu | bav@baidu.com, gaoyingchun@baidu.com |
BitDefender | https://www.bitdefender.com/consumer/support/answer/40673/, virus_submission@bitdefender.com, oemsamples@bitdefender.com |
Bkav Pro | fpreport@bkav.com, bkav@bkav.com |
ByteHero | bytehero@163.com |
Certego | https://www.certego.net/en/contatti/, fp@certego.net |
ClamAV | https://www.clamav.net/reports/fp |
Clean-MX | abuse@clean-mx.de |
CMC | PSIRT@cmccybersecurity.com, vulambang@cmcinfosec.com, support.is@cmclab.net |
CRDF Labs | https://threatcenter.crdf.fr/false_positive.html |
CrowdStrike Falcon | VTscanner@crowdstrike.com |
CyanSecurity | virustotal@cyansecurity.com |
Cybereason | vt-feedback@cybereason.com |
Cylance | cylancefilesubmit@cylance.com, cylancefilesubmit@blackberry.com, General instructions for submission |
Cynet | soc@cynet.com |
CyRadar | virustotal@cyradar.com |
Cyren | support@cyren.com, Instructions: https://www.cyren.com/support/reporting-av-misclassifications |
DeepInstinct | info@deepinstinct.com |
DNS8 | dns8@layer8.pt |
DrWeb | https://vms.drweb.com/sendvirus/, vms@drweb.com |
eGambit (TEHTRIS) | https://tehtris.com/en/false-positives-false-negatives/ |
Elastic | https://docs.google.com/forms/d/e/1FAIpQLSd2WQ-o7Y31Hf1PKvdxxd1iMNSxkoBth1cVDJZRuXuAmaD3rg/viewform, https://discuss.elastic.co/t/submitting-false-positives/232322 |
Emsisoft | submit@emsisoft.com or fp@emsisoft.com (false positives), https://www.emsisoft.com/en/help/contact/ |
Endgame | info@endgame.com |
eScan (Microworld) | samples@escanav.com, http://support.mwti.net/support/index.php?/Tickets/Submit/ |
ESET-NOD32 | samples@eset.com, (more information here) |
F-Prot | viruslab@f-prot.com |
F-Secure/WithSecure | https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample, spyware-samples@f-secure.com, vsamples@f-secure.com |
Filseclab | fp@filseclab.com |
Forcepoint (websense) | suggest@forcepoint.com or https://support.forcepoint.com/s/article/000012884, File Submission Tool, URL Submission Tool |
Fortinet | submitvirus@fortinet.com, https://www.fortiguard.com/faq/classificationdispute, http://www.fortinet.com/support/contact_support.html |
GData | https://www.gdata.de/help/en/general/GeneralInformation/submitFileAppURL, https://www.gdata.de/help/en/general/AllgemeineFragen/DateiURLAppEinsenden |
google-at-virustotal@google.com, https://safebrowsing.google.com/safebrowsing/report_error/?hl=en or go through this process, First upload the file to Google Drive (Preferably don't use your main account). Once uploaded, if the file was identified it will be flagged, right-click on the file and select Open With -> Preview. Google Drive will display 'This file looks suspicious. It is visible only to the owner.' alert, click request a review. On the Request a review page, click the Request file review button at the bottom of the page. Demo Video | |
Gridinsoft | virus@gridinsoft.com, antimalware@gridinsoft.com, https://gridinsoft.com/incorrect-detection |
Hacksoft | virus@hacksoft.com.pe |
Hauri | viruslab@hauri.co.kr |
Huorong | seclab@huorong.cn |
Ikarus | fp@ikarus.at, samples@ikarus.at, false-positive@ikarus.at |
Invincea | info@invincea.com |
Jiangmin | support@jiangmin.com, shaojia@jiangmin.com |
K7 (K7GW) | reportfp@labs.k7computing.com, k7viruslab@labs.k7computing.com, support@k7computing.com, https://support.k7computing.com/index.php?/ticket/submit-ticket |
Kaspersky | https://opentip.kaspersky.com/, newvirus@kaspersky.com, or https://support.kaspersky.com/b2c/il#contacts (OS > Application > Malware > False positive > Continue to contact support button > Upload file) |
Kingsoft (Cheetah) | ti@mingting.cn |
Lionic (AegisLab) | support@aegislab.com, https://www.lionic.com/reportfp |
Malwarebytes | https://forums.malwarebytes.com/forum/122-false-positives/, https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support or for clients https://support.malwarebytes.com/hc/en-us/requests/new (Issue type > Product help > False-positive). |
Malwares.com (Saint Security) | kog@stsc.com |
MAX (SaintSecurity) | root@malwares.com |
MaxSecure | tech@maxpcsecure.com |
McAfee | https://www.mcafee.com/support/s/article/000001921, virus_research@mcafee.com, virus_research@avertlabs.com instructions for email submissions here |
McAfee-GW-Edition | datasubmission@mcafee.com |
Microsoft Windows Defender | https://www.microsoft.com/en-us/wdsi/filesubmission |
NANO-Antivirus | https://www.nanoav.ru/index.php?option=com_content&view=article&id=15&Itemid=83&lang=en, false@nanoav.ru |
Netcraft | https://report.netcraft.com/report/mistake |
Norton | https://submit.norton.com |
nProtect (Inca) | virus_info@inca.co.kr |
Palo Alto Networks | vt-pan-false-positive@paloaltonetworks.com |
Panda | falsepositives@pandasecurity.com, virussamples@pandasecurity.com |
Phising Database | https://github.com/mitchellkrogza/Phishing.Database#please-remove-my-domain-from-this-list- |
Qihoo-360 | support@360safe.com, https://www.360totalsecurity.com/en/suspicion/false-positive/ |
QuickHeal | viruslab@quickheal.com, OEMENGINE@quickheal.com, support@quickheal.com, https://techsupport.quickheal.com/report-an-issue/false-positive |
Rising | fp@rising.com.cn, http://mailcenter.rising.com.cn/filecheck_en/ |
RocketCyber | support@rocketcyber.com |
Sangfor Engine Zero | To report false positives follow their instruction guide |
Scrutiny | training@cyberstanc.com |
Seclookup | info@seclookup.com |
SecureAge APEX | https://www.secureage.com/support/report-false-positive |
SentinelOne (Static ML) | report@sentinelone.com |
Skyhigh (SWG) | Use the Avira Process, or email virus_research_gateway@avertlabs.com |
Sophos | samples@sophos.com, https://support.sophos.com/support/s/filesubmission, for email submission/other options see this article |
Spamhaus | https://www.spamhaus.org/dbl/removal/form/ |
Symantec (Broadcom) | https://symsubmit.symantec.com/, false.positives@broadcom.com |
Systweak | http://support.systweak.com/kayako/index.php?/Tickets/Submit |
Tachyon | isarc@inca.co.kr (Password Protected zip file include detection name) |
Tencent | TAVfp@tencent.com |
TheHacker | virus@hacksoft.com.pe, falsopositivo@hacksoft.com.pe |
Trapmine | fp@trapmine.com (Concluding operations December 31) |
Trellix (FireEye) | https://kcm.trellix.com/corporate/index?page=content&id=KB85567 |
TrendMicro | https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html, virus_doctor@trendmicro.com, https://helpcenter.trendmicro.com/en-us/srf/ |
Trustlook | bd@trustlook.com |
Trustwave | ADavidi@trustwave.com, https://support.trustwave.com/virustotal-detection-review/ |
Varist | SampleFP@avsubmit.com , support@varist.com, virus@avsubmit.com, virustotal@viritpro.com, |
VBA32 | feedback@anti-virus.by, support-en@anti-virus.by |
VIPRE | https://helpdesk.vipre.com/hc/en-us/requests/new |
VirusDie | partners@virusdie.com |
VirIT | http://www.tgsoft.it/italy/file_sospetti.asp |
Webroot | http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx, https://www.webroot.com/us/en/business/support/vendor-dispute-contact-us |
Webroot SMD | https://www.brightcloud.com/tools/file-change-request.php |
Xcitium (Comodo) | https://www.comodo.com/home/internet-security/submit.php, malwaresubmit@avlab.comodo.com, security@xcitium.com, support@xcitium.com, https://forum.xcitium.com/ |
XVirus | samples@xvirus.net, https://xvirus.net/submit |
Yandex | yandex-antivir@support.yandex.ru |
Yomi | yomi-false-positives@yoroi.company |
Zillya | virus@zillya.com , https://zillya.com/support, help@zillya.com |
ZoneAlarm by Check Point | zonealarm_VT_reports@checkpoint.com |
Zoner | false@zonerantivirus.com |
To decrease the chance of false positives you can consider submitting your program to a Antivirus companies whitelisting program, In the list below (just started 30th January contributions encouraged), Most programs require registration and a manual approval process.
ENGINE | Link To Whitelisting Program / Allowlist Program |
---|---|
Avast | https://support.avast.com/en-ww/article/229/ |
AVG | https://support.avg.com/SupportArticleView?l=en&urlname=AVG-Threat-Lab-file-whitelist |
eset | https://support.eset.com/en/kb3345-how-do-i-whitelist-my-software-with-eset |
Kaspersky | https://www.kaspersky.com/partners/allowlist-program |
McAfee | https://service.mcafee.com/?locale=en-US&articleId=TS102751&fromSearch=true&page=shell&shell=article-view |
Semantic (Norton) | Whitelisting Program Discontinued |
There could be a scenario where an antivirus/security company is not responsive, but to be sure that the issue is not on your end (especially if you're sending emails from your own domain). Check that your DNS records are set up correctly for good deliverability. Add an SPF, DKIM, and DMARC to your DNS records. Some AV companies may ignore emails that are not set up correctly, and some will send a response email with an error, depending on how the individual company is setup.
To check if your DNS is configured correctly, as well as SPF, DKIM, and DMARC, use the Google Check MX tool.
To do a final verification if the email was verified correctly in SPF, DKIM, and DMARC, send an email to a secondary email account and take a look at the full record to see if it passed. You're looking for this:
If you did find an error in your configuration, consider resending the emails you already sent before the fix.
TIP: while SPF, and DKIM are relatively simple to setup, you can speed up the DMARC setup by searching for DMARC generator with your favorite search engine, to use a wizard to generate it instead of doing it manually.
Ana Tinoco from VirusTotal support, and the VirusTotal support team for making the initial contact information list. The hope of creating better communication between software developers and security vendors.
While I tried to maintain the accuracy of the information here to the best of my ability, it may be that you encounter inaccuracies as things naturally change over time. If you do find any inaccuracies I encourage you to use a pull request, report an issue, or sending me a message.
Certification requirements for windows desktop apps - (article by Microsoft to make sure you're covering the basics) https://docs.microsoft.com/en-us/windows/win32/win_cert/certification-requirements-for-windows-desktop-apps