- Apr 25, 2013
- 5,355
If you are using tools from Nirsoft, and you should if you are running a flavor of Windows on a machine, then you may have ran into issues before when an antivirus solution notified you that the program you were about to run was malicious in nature.
Nirsoft has been fighting with false positives for a long time, and I can only imagine how many support requests Nir Sofer gets about that.
What makes this even worse for him is that companies may blacklist his website or pages on it because of these false positives.
Google's SafeBrowsing service for instance blocked Nirsoft tools from being downloaded in 2014, and since it is being used by Chrome, Firefox and other browsers, it was certainly devastating at that time for Nirsoft.
Nir Sofer tried to make changes to some of the programs but the result, as of today, is still the same. He then decided to create a report about the issue by scanning all of his programs on Virustotal and ranking antivirus engines based on false positives.
Virustotal scans files that you upload to the service against 56 different antivirus engines. The ranking calculation is simple: each antivirus engine starts with a score of 100 points. Negative points are awarded for alerts which vary depending on whether it is a generic alert or one that points to malicious code in particular.
The results
Only 12 of the 56 antivirus solutions did not report a single false positive while the remaining 44 antivirus engines did report at least one.
The engines with a perfect score are: AegisLab, Alibaba, ALYac, ByteHero, ClamAW, Emsisoft, Panda, Qihoo-360, Tencent, Total Defense, VBA32, Zoner.
Many popular antivirus solutions did not rank well. TrendMicro got a score of 67 and 24 alerts, Nod32 a score of 57 and 26 alerts, Symantec a score of 71 and 20 alerts, and Malwarebytes a score of 83 and 11 alerts.
Three antivirus engines ended the test with negative scores: Antiy-AVL with -6.5 points, TheHacker with -230.5 points and Bkav with -1280.5 points.
You can check the full listing over on the Nirsoft blog for additional details.
Conclusion
False positives are a big issue for Nirsoft and -- likely -- other software developers -- and users on the Internet.
The ranking does not reflect how effective an antivirus engine is as a whole and one at least has to wonder whether the good placement of certain antivirus engines is due to them being really good at avoiding false positives or other factors.
Nirsoft could use the findings in several ways. First, it is shaming companies who report false positives even though it is clear that Nirsoft programs are not malicious in nature. Second, by informing security companies about the results and hoping that they will do something about it.
Considering that these companies had years to fine tune their engines, it seems unlikely that this is going to happen though.
Nirsoft has been fighting with false positives for a long time, and I can only imagine how many support requests Nir Sofer gets about that.
What makes this even worse for him is that companies may blacklist his website or pages on it because of these false positives.
Google's SafeBrowsing service for instance blocked Nirsoft tools from being downloaded in 2014, and since it is being used by Chrome, Firefox and other browsers, it was certainly devastating at that time for Nirsoft.
Nir Sofer tried to make changes to some of the programs but the result, as of today, is still the same. He then decided to create a report about the issue by scanning all of his programs on Virustotal and ranking antivirus engines based on false positives.
Virustotal scans files that you upload to the service against 56 different antivirus engines. The ranking calculation is simple: each antivirus engine starts with a score of 100 points. Negative points are awarded for alerts which vary depending on whether it is a generic alert or one that points to malicious code in particular.
The results
Only 12 of the 56 antivirus solutions did not report a single false positive while the remaining 44 antivirus engines did report at least one.
The engines with a perfect score are: AegisLab, Alibaba, ALYac, ByteHero, ClamAW, Emsisoft, Panda, Qihoo-360, Tencent, Total Defense, VBA32, Zoner.
Many popular antivirus solutions did not rank well. TrendMicro got a score of 67 and 24 alerts, Nod32 a score of 57 and 26 alerts, Symantec a score of 71 and 20 alerts, and Malwarebytes a score of 83 and 11 alerts.
Three antivirus engines ended the test with negative scores: Antiy-AVL with -6.5 points, TheHacker with -230.5 points and Bkav with -1280.5 points.
You can check the full listing over on the Nirsoft blog for additional details.
Conclusion
False positives are a big issue for Nirsoft and -- likely -- other software developers -- and users on the Internet.
The ranking does not reflect how effective an antivirus engine is as a whole and one at least has to wonder whether the good placement of certain antivirus engines is due to them being really good at avoiding false positives or other factors.
Nirsoft could use the findings in several ways. First, it is shaming companies who report false positives even though it is clear that Nirsoft programs are not malicious in nature. Second, by informing security companies about the results and hoping that they will do something about it.
Considering that these companies had years to fine tune their engines, it seems unlikely that this is going to happen though.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}