VirusTotal false positive

asked 2021-05-11 18:44:00 +0000

jonathandl2 gravatar image

I just downloaded the "portable" version of Wireshark, but two (not just 1) VirusTotal antivirus engines identify the .exe file as malicious. (The number increased from 1 to 2 today.)

Can one of the developers or QA people please contact Antiy-AVL and Jiangmin and ask them why they are detecting your software? I'm not a customer of either antivirus vendor that flags it as malicious, otherwise I'd contact them myself.

Note: the hash file of the .exe is 210c688bf7f4efb0995e25939de64d611faf6400798f6eb4b3c9c1f168f522c5; if this is incorrect then I'll redownload.

edit retag flag offensive close merge delete


If all the other engines are OK, then as you say it's likely a false positive with those vendors and nothing to worry about, same as happens with many other programs when submitted to VirusTotal.

As to "fixing" this, it's unlikely to happen unless a paying customer complains, actually getting a response from any top tier AV vendor is very difficult and frustrating, so doing the same with little known vendors is even more difficult. Left as an exercise for the interested.

grahamb gravatar imagegrahamb ( 2021-05-11 19:45:40 +0000 )edit

If international antivirus vendors are anything like antivirus vendors here, the developers of a program get a higher priority than random third parties. For example, they might tell the developer what actually triggered the detection, whereas they might not even acknowledge a public contact. Therefore I think the developer is in a better position to deal with this than an end user. Also, does Wireshark use mirrors or do you own the download servers?

Thanks, Jonathan

jonathandl2 gravatar imagejonathandl2 ( 2021-05-12 23:38:11 +0000 )edit

I have personally dealt with top-tier AV vendors about false positives in their engines with the products in my day job. I'd rather chop my fingers off and gouge my eyes out with the stumps than do that again. They "fix" whatever it was after multiple weeks of badgering, we make a slight code change and the whole cycle starts again.

There are mirrors of the Wireshark download servers, some of which are controlled by third parties. The hashes of releases are listed in the signature file for each release, e.g. and are also sent out in the release announcement.

As ever, use VirusTotal as a guide. If only a few (a few is whatever number you're comfortable with) show positives, they're likely to be false positives. If the positives make you uncomfortable, then don't install the application.

grahamb gravatar imagegrahamb ( 2021-05-13 09:36:31 +0000 )edit