VirusTotal is a False Positive Factory

You should not take VirusTotal results seriously. The platform lacks any basic quality control.

My Precious Software

I have spent over a thousand hours developing XL Converter.

It allows people to use the latest image technology like JPG reconstruction. It manages binaries, converts, scales, proxies, applies metadata, compares, and reconstructs. Completely free and open-source.

It came as a shock to me that VirusTotal marks it as a “trojan” with 7 detections!

link The 7th one disappeared as I was writing this article (screenshot)

I know they are false positives, because I wrote this program. Since the code is public, you can both verify its safety and reproduce false positives.

VirusTotal is full of no-name solutions with no credibility and high false positive rates.

VirusTotal also scans for network traffic and lists infected IPs. The problem is it detects malware in IPs used by Microsoft. Microsoft dependencies come bundled with those IPs and that’s how they end up in EXEs. This includes most (If not all) software on Windows.

Under these IPs, thousands of incompetent “security researchers” appear to make false judgments with one sane individual writing.

This IP is used by Microsoft, or Microsoft application tracking. Because if you build a clean EXE in Visual Studio 2022 […] you’ll end up with a main application binary that contacts this IP address […]


It’s like trying to ban water because criminals drink water.

Further down the line, I spotted this.

Defense Evasion – Reference anti-VM strings targeting Qemu

What? By this point, VirusTotal exists purely to feed into people’s confirmation bias. Also, their URL scanner detects Cloudflare as a phishing site.

How did nobody notice how bad VirusTotal is with false positives? Why is nobody talking about it?

All screenshots will differ from the VirusTotal URLs, because they constantly rescan files.

False Positive Factory

They track false positives, but they don’t do anything about them.

Below are the ones I personally verified have high false positive rates.

  • Antiy-AVL
  • MaxSecure
  • Jiangmin
  • Qihoo 360
  • Google
  • Bkav Pro
  • SecureAge
  • SecureAge APEX
  • Cynet
  • Sangfor Engine Zero
  • Zillya
  • Varist
  • Ikarus
  • Webroot
  • Trapmine
  • Gridinsoft (no cloud)
  • Microsoft
  • Elastic
  • ArcSight Threat Intelligence
  • MalwareURL
  • CyRadar

Every time I scan legitimate software, new solutions pop up as If VirusTotal had an unlimited supply of shovelware. Have a look through all the solutions they use, most look like a scam.

Chocolatey considers up to 5 positives on VirusTotal, not malware for a reason.

Because some scanners can be quite aggressive and may falsely identify a binary as a false positive for malware. […] This means 5 anti-virus scanners need to flag the binary for Chocolatey CLI to stop and fail the install or upgrade


My software got flagged by 7…


Their solution to this was to establish a whitelist. However, it’s a rich people-only club. They told regular developers to go and eat dirt.

VirusTotal is not responsible for false positives generated by any of the resources it uses


VirusTotal became a standard for millions of people. Its huge problem with false positives affects the developers. I still remember my files getting booted off of, because VirusTotal detected a virus.

The developers are made to explain themselves, which is humiliating, to say the least.

The quality of this service is abhorrent.

Societal Impact

People take VirusTotal’s judgment as an indisputable fact. The society has not widely accepted the existence of false positives. Most people only seem to acknowledge them when they’re affected personally. src1 src2 src3 src4

VirusTotal needs quality control. If you offer solutions with high false positive rates, make them optional and inform users what they are.

Leave a Reply

Your email address will not be published. Required fields are marked *