Kaspersky: A false positive story

As you may know, I’m developing SoundSwitch in my free time. Lately, it’s been struck as a Trojan by Kaspersky. This happens just a couple of month after Symantec did the same with Norton. Moreover, it was at the same time that it was featured on How to Geek.

This detection coincides with the update of my IDE from VS 2015 to VS 2017 and the usage of the new compiler. It seems the new compiler generated the signature of a Trojan for Kaspersky. SoundSwitch have two important parts, the first one is the AudioEndPoint library that I created in C++ to use the WinAPI with on top a wrapper CLR to interface with C#. The second part is SoundSwitch itself which is the interface and the configuration tool in C# for the library.

SoundSwitch has two important parts, the first one is the AudioEndPoint library that I created in C++ to use the WinAPI with on top a wrapper CLR to interface with C#.

The second part is SoundSwitch itself which is the interface and the configuration tool in C# for the library.

I’m guessing the C++ lib triggered the false positive.

How to report false positive

Kaspersky provides an Online antivirus to check for files, the problems with it, is the lack of feedback when reporting a false positive: https://virusdesk.kaspersky.com/

You get an automated email telling you they’ll look into it. But after multiple days, I never received any other email. This is the opposite of my experience with Symantec where a couple of hours after the report of false positive, I had a human asking for more details and information about my report. The issue then got resolved rapidly.

The better way

In the end, I decided to create an account on the Kaspersky portal to report my false positive: https://my.kaspersky.com/en

There I was able to submit my false positive, get a direct answer from the support and a confirmation that the false positive was confirmed and their database will be updated in the following days.

Two days later, Kaspersky stopped telling its user that SoundSwitch is a trojan.

For the future

From now on, I’ll delay the release of SoundSwitch, I’ll use Virus Total to check for any possible false positive and then when clean, I’ll release the program.

Antoine Aflalo Written by:

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *