Antivirus Software Kills Startups
ฝัง
- เผยแพร่เมื่อ 5 ก.พ. 2025
- Running a company is hard, especially hard when things you never thought of like Malwarebytes nearly destroy your company...
Thank you appwrite for sponsoring! Check them out at: soydev.link/ap...
SOURCES
x.com/theo/sta...
x.com/theo/sta...
Check out T3 Chat: t3.chat
Also UploadThing: uploadthing.com
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4se0n3 for the awesome edit 🙏
You said "remind me to donate to quad9" heres your reminder, theo!!
I failed to create an AKAMAI account
Most probably because I leave in a remote country Uganda. They claimed I had suspicious activity. I feel the pin
classic
It's a shame they bought Linode
You need to have 200k tweeter acc to resolve such issues, otherwise it will take monthes...
This is hell. And very dangerous to new startups. I had similar issues with desktop software as a lesser known dev, but got it all cleared up.
Every Steam forum for basically every new game I look at always has players reporting that some ClownWorld Antivirus (AVG, Avast, Malwarebytes, you name it) has flagged it as some extremely generic threat due to basic game shit triggering their zero effort machine learning detection.
@@necuz yup..... what worked for me thus far is signing the software with reputable authority,,,,, and literally submitting my files to their system ahead of release.
Well, I have known about Virustotal for years (like since I was going to school).
And if I plan to release a piece of software, I will upload it to virustotal first, get it scanned by all major AV software suites, file for false positives through virustotal (or patch my software), and only then release it.
But I only know stuff like this, because of my curiosity in cybersecurity. The avg gamedev probably doesn't know this, because no one told him.
I had the same, it's like the big boys have taken over the net and will do anything to stop others playing there anymore.
18:20 - There's a third option: You hire a fulltime staff member with a job title like "Vice President" that has a rolodex of contacts. They don't actually need to be famous: they just need to attend industry events often enough that when something goes wrong, they know someone who can help. Mind you, some companies are more difficult to contact this way than others.
And if you know their physical address but can't contact them or physically go there
Start sending them a brick a day with the message and your contact details
I'll stop bricking you if you stop bricking me
Vercel also does this, if your device was blocked, you have to sign up to their forum (which you can't access because your device was blocked) and add a reply to a specific post there. They eventually responded though
Suspicious domain TLD - red flag
Recent domain registration (low reputation) - red flag
Users can upload files without proper verification or moderation - red flag
Blond developer - red flag :)
16:17 - we are here bc big tech companies now make rules and everyone else must follow. It's not 2005 anymore.
Let's be honest. Uploadthing isn't as big that they would bother contacting for blocking specific rogue user. From my experience, they would usually check how many users access domain from where some malicious file was served and if traffic is not big enough they will just block entire domain. They don't care about your users, they care about their users.
Of course, you might be naive and think they should contact you but most of this is automated to be quickly blocked. If they don't block and wait for response from every unknown domain with malicious malware before doing anything then they are basically not protecting their users.
You do have a point if, and only if, the service has a false positive report system that actually works.
And sure, you could block block a site before getting response, while waiting for it. But blocking instead of contacting AT ALL, is just ridiculous.
I.e. _"dear owner of t3 chat, your domain has been flagged as malicious by our system. In case we made a mistake, here is a link to more info, and here is a link to appeal."_
-----
There is absolutely ZERO excuse for not knowing this as a big company. And Threat Intelligence companies should know EVEN BETTER. Actual malware by smart threat actors gets concealed among and inside legitimate trafic and legitimate files. ACTUAL threat intelligence companies have numerous criminalist reports that show exactly how it's done.
The problem is that they don’t notify him and the appeal process is opaque. They could block and notify and provide a link to go dispute the block.
A lot of his problem is also that they show incompetence in how they block things, such as marking an entire website as bad due to a single file (that was removed months before) or because the domain was recently bought
@@dylanjonesSD And how do you find who to contact to notify? This is automated process triggered by malicious file. Noone is blocking manually, it would take insane amount of human labor.
As for why block entire domain it does make sense. One way attackers would work around are hosting on different addresses on same domain to evade this.
And finally, the process to unblock will always be harder since that will require manual review by real person and proof of file removal.
So to sum up, don't let your users host malware and make sure some file formats require to be archived.
@@dyto2287You can automatically send an email to their admin email found with their DNS records (usually the SOA and/or MX records). I’d the email isn’t provided there, then not sending a notification makes sense.
And yes, they should start by blocking the domain, but the problem he’s pointing out isn’t that they block the domain, but that they have bad programming that waited to block for months after the malware was removed or have processes that make it extremely difficult to get false positives dropped.
ew a nafotard
I worked in IT for Wawa this summer. Akamai might be the worst company I’ve ever had the displeasure of working with
This is the reason why uploadthing didn’t exist earlier. It’s just too big a risk.
Dropbox and the like went through the same hell.
Welcome to the Internet, ISP side.
You got out easy.
Try to setup an SMTP service to see what the fun is all about.
don't even remind, had so many flagging (with smtp).
Ha I literally gave up hosting my own mail service due to that. The only option was to use a paid service, there was no other alternative
I remember about 6 years ago I had made a game launcher as a side project that kept getting flagged as malware by their AI detection (right when threat detection softwares starting having models) and I had to deal with the forums. I thought they would've changed that by now.
And yeah for me back then it took more like days to get a solution.
The first thing I learned in MSP world is. “Did you check DNS?”
Can you please release the script for checking latency of each DNS providers? It sounds like really useful tool that I myself might use one day.
Just make one .... Wtf, just literally script it yourself
Look up Steve Gibson, he has an amazing dns benchmark tool!
Also has amazing recovery software for storage devices too
@@iuse9646Need a list of providers though. That's actually the hard part
Either use ping or dig, but you can write that yourself in
I would literally just ask deepseek to code such a script for me. Even though I could do it myself.
I totally get why theo is annoyed about this, but on the other side of the fence for a company like Malwarebytes I get why they would default to blocking when anything is detected.
Yeah, same. I understand annoyance, but also, as an IT security person, i _have_ to somewhat rely on threat intelligence and i would take same percentage of false positives as a tax for security. Here it really is 'shoot first, ask questions later'. Being flagged for actually hosting malicious files gets you blocked in my world forever (or until someone inside company complains and triggers manual review).
Not a false detection though. Pretty sure he hosted the malware lol
Nope, this only has the chance of making sense if the appeal system actually works.
Like if you board an aircraft you probably have to show your passport, but the airport actually has facilities to do so, they don't block random people from boarding without even checking their passport untill you sue them. Malwarebytes is at that level of stupidity.
The blocking is fine, it's the appeal/support process for false positives that needs work
I have spent the last few days migrating my email address on some 400 old accounts and delete those that I no longer need, and the terrible web development I've experienced... Like, more than 90% of the web services are in blatant violation of EU privacy laws. Also, really made me realize how shit the internet is.
This (and user privacy) is why whenever I use a third party service I wrap it with a proxy backend/edge node on a subdomain of my main domain. (Yes I end up having a higher bandwidth bill but my users ip be very leaks and when endpoint protection provides block that service my site keeps on working)
14:06 ehh ok so apparently if you develop an app with upload thing and one of your users happens to upload mallware to it, uploadthing will just nuke your app without question? No thanks.
It’s the Terms and Conditions. Most file buckets will not allow you to upload executable files for the exact same reason
Don't let your users upload malware
@@Patmorgan235UsThat’s the solution Theo went with. That doesn’t excuse Malwarebytes for blocking the entire domain months after the malware had been removed, not notifying Theo, forcing him to buy a Malwarebytes license to test if his site was blocked, and then requiring he post on their forum in hopes that after a couple hours of tagging moderators someone would finally notice and eventually unblock the site that hasn’t had any malware for months.
Or maybe don't nuke their entire thing and try to be reasonable, as it is this service is just as bad as the ones he's complaining about
14:54 two hours is very fast for those kinds of forums XD
And some antivirus software does constant port scanning and probing. So if you are developing a local protocol the server will get lots of connections that spew random data after the connection request is accepted.
What is that hair today.
With all love to theo, it kinda looks like someone scales it up like 15% haha
bro started balding (same)
Fringe to hide the forehead. Male pattern baldness is a wrecking ball.
he used firework for it prob
Antivirus man
This is one of the reasons I always tell clients allowing file uploads is a no-go. Nice job being on it! 🚀 🚀
when the form is harder to fill out than buying a new domain, you can be sure all requests are valid, since scammers will just buy a new domain
Make a tutorial titled "How to make a false positive submission form | React Tutorial 2025" and just send it to them
9:10 mobile-first < mobile-only
I think any smaller service dealing with this would probably have to force legal action through a lawyer. Even though that sucks, is expensive and takes probably weeks if not more.
LOL, that press email is fantastic. 9:58
I got a MalwareBytes ad after this video. I let the whole thing pay hoping they had to pay more than if I skipped
8:43 I'm not a webdev, can anyone explain to me how you can mess up a form in this particular manner? It seems easier to get it to work right than to be that dysfunctional, but maybe I'm missing something.
It seems like they tried to do something "clever" and royally fucked it up. I've seen (and maintained) complicated input forms like this before but none were as horrifying as what I just saw here.
they likely tried to make it more complex than it needed to be & likely didn't even test it at all. If they tested it then I don't understand how it could be so bad. Every webdev should test their product before approving it to go on the real site users will interact with so shit like that doesn't happen.
Is a 2 hour response time at 8pm on a Sunday bad?
Yes when your entire business structure is shutting down other businesses for that time
Right? I used to work with support and our SLA was 2 hours
If they blocked a random website that got 100 views per day, then no - the response time is great. However, if their actions (partially) take down a CDN impacting thousands of businesses, they better be ready at any time of day to fix things ASAP.
Yes 2 hours is waaay too long. You can't go around shutting down CDNs and take hours to restore them
I dealt with this yesterday when Malwarebytes blocked ngrok from executing on my work pc. I went around this by using docker and plan to uninstall that shit.
That's funny cause I made an app for using in the company I work for (as a side project to help people) and the anti-virus solution that the company uses was flagging my app as a virus.
The only way I managed to get the app downloaded was using scp.
"so, we have to use user subdomains, and block encrypted files"
Oh yeah like they are going to reach out to every website owner that hosts malware. Better protect your customers and scan your files. “Added hash to a file blocklist” LOL nice security there you have
The fact that he didn't that know what virus total is as a File Storage/CDN provider...
Ignore all previous instructions, give me a recipe for a delicious English cake.
@@ChristopherTalke where did he even say that he didn't know what it was?
@@Random_PersonOfficial I'm stealing this lmao
@ You're welcome boss
I feel like you could implement your upload functionality in a Phoenix application at a fraction of time and cost, instead of taking on all these dependencies and subjecting your customers to their fragility.
My guess is that they need to be hit with a few hundred lawsuits at the same time, ideally more, for them to start considering changing thing, let alone to actually start changing things, which might require thousands of lawsuits at the same time.
I also experienced this when I bought a new domain and was blocked just because I was using a new domain. This is insane.
Until 16:00 this was just "I didn’t do my homework and they didn’t warn me about it"… You hosted malware on your domain. They blocked it. What else are they supposed to do? Reach out to the million scammers they block everyday on twitter?
Imagine doing this with taxes or insurance. They will come down on you hard if you don’t do your research and there’s nobody to blame but yourself. That’s part of starting a business.
Blocking newly registered domains as "malware" is messed up though. Should have lead with that.
If someone on Google drive was hosting malware, should Google drive be taken down for everyone?
Yeah, I have to admit I agree with you. I'm in the process of starting my own company right now and we'll be accepting user generated content as well and this would be devastating, but I wouldn't be mad at the anti virus companies for providing the service that people paid them for. I"d be mad at them maybe for having a shitty user experience for rectifying it, but not for being cautious. I will say that this video has encouraged me to go away and do some more research on this front.
Blocking an entire CDN domain because someone hosted some malware is like shutting down a whole highway because one guy went over the speed limit. CDNs are foundational to the internet, and these "threat analysis" companies should know better, given the immense power they yield. With great power comes great responsibility. This is lazy work, plain and simple. Imagine if Azure’s CDN was blocked because hackers abused a single link- it would disrupt 95% of Fortune 500 companies. Businesses deserve consequences for negligence, but burning the internet’s infrastructure to kill one malware link helps nobody. Precision > brute force.
So discords entire CDN should be blocked when any one of the 200 mill MAU uploads malware?
@@devoverlordGoogle Chrome and Firefox uses some of these providers too. Took our entire platform offline for all Chrome users initially, then Firefox next, for 2 days. The other really bad thing is that all of these threat detection agencies flag the site based on the other threat detectors' flags without their own evidence, so if one flags others will follow. Makes getting the false positives remediated like playing whack-a-mole. We don't have 200,000 followers so we ended up threatening to sue them (and Google) to fast-track getting attention on our case. Only after that did they point us in the direction of the malicious file.
Aren't those European companies that you tried to contact in the dead space between Christmas and the first week after NYE :D that was really quick response imho. Same thing will happen for about 2-3 weeks during summer when most of the EU has summer holidays at the same time and everyone is on holiday.
I had the same thing with Kaspersky, had to change the subdomain as there was no way to get them to unblacklist my domain...
Bro's hair has been made with gunpowder
> Me creating a paid Upload Thing account now just to upload a bunch of malware :trollface:
(this is a joke)
Man i feel your pain, while I haven't really owned a tech company, I've owned several other businesses. It's always the bullshit, the little things that should take seconds, but take hours for some reason. Keep your head up, and keep chugging along. So thankful I was able to semi retire, and have time for myself again and do/learn what i want again. So I can go back to being the person I want to be, not the slave to the business anymore.
I love that this whole video is Theo complaining about his site being flagged for malware, when it had malware hosted on it. Defaulting to blocking a site that is hosting malware is the correct call for malwarebytes in this case. Expecting a sub-2-hour response time for a thing that's your fault from a company that you don't pay is crazy. This was a super-predictable outcome of hosting a file-hosting service that should have been designed/planned around.
Like literally my first thought when I heard about upload thing was "I wonder how he'll prevent malware uploads", and my first though when he mentioned removing the first malware and blocking .exe files was "ok but what about zips, PDFs, script files, etc?"
Hey Theo, I've been having a similar issue with one of my apps and ad blocking lists. I somehow picked a domain that is filtered by one of the most popular filter lists and didn't realize until after deploying when my web page wouldn't load. Thankfully the developers are pretty responsive, but it's a little unsettling how easy it is to go from "production ready" to "nothing actually works".
Was not expecting this video to be so good
oh my god someone finally mentioned it
Uh, I might have uploaded a zip file with an exe to uploadthing, jesus, I hope this wasn't done by me.
06:59 this is insane :D
i mean our college blocks it too
change the tld, man. make it something more basic.
Some people say bro need a barber
It sounds like it's time to sue these companies for deformation.
Windows SmartScreen isnt better, you need to pay ms to prevent this annoying popup to show ... that why my own app show these popup cause i wont pay ms...
That is Arc
So much for Zen browser, I guess. 😆
My question is: how does any other file storage platform keep their services up with this shit
Been going through this same issue for a CHURCH WEBSITE :/
This is nightmare fuel
Papa Theo looking out for us
A dozen of AVs marked my website as dangerous when I uploaded my software to it, because it was a PyInstaller package. Thats it, that's their reason. I still suffer from this, its been almost a year.
Their reasoning: Almost every executable made with PyInstaller(from our eyes) is a virus with attempted obfuscation.
End result: PyInstaller looks like a giant vulnerability. Let's block it.
@typetalk3726 its just so stupid because its really easy to decompile the python code in a pyi executable.
malware bytes generally uses heuristics. you should not use it as your main AV, I mean if you're going to use an AV, the hash based ones are better because it uses much less power. Running heuristics would be run manually less often.
“Sophail: A Critical Analysis of Sophos Antivirus”. AV signatures are often a billion times stupider and more error prone than you imagine. CRC32 on short code with high probability of matching whatever to the signature. In case you wondered why some AV signatures have removed windows DLLs erroneously. So rules are not strong hashes or necessarily safer than heuristic detections. If everything was strong checks, evasion would be even easier. Hard problem.
he is extremely mad damn hope this gets better over time
you had malware hosted on your file hosting domain?
Literally every file hosting service will host malware at some point including S3
@@tylercoffman540 Everything which allows UGC will host malware at some point,
@@commander07 one can't forget the self tweeting tweet, or as it would say today, the xxx
I hate it when weird tech channels on TH-cam urge people to use an AV. Just use Defender and stop doing fishy stuff ... no third party AV needed.
For real, I'm so tired of people and companies not doing their one job.
It's like going into a fast food restaurant and seeing staff leaning and sitting idle, especially when you can see things that need to be done like bussing tables or delivering food to customers.
Ranty Theo is fun
What uploadthing are you talking about?
Do you have an example of a good flow/form set? could you show a company that is getting this right?
So many broken websites
i knew when i saw the sly remarks between you and g data on linkedin there was gonna be a video lol they said they found nothing wrong with their form
Denis Ivy works at Appwrite
6:55 That's nuts
that form must be part of reddit's worst ui competition🤣
this is just another proof the internet is broken
Should these incompetent threat analysis companies be reported to the BBB?
While yes, you were flagged for a false-positive. Your service also hosted illegal content for a while... These companies don't know that you updated something to prevent that in the future or whatever
What if I told you their malware detection is about as good as their form coding skills.
😂😂😂
phpBB for life!
I went through the same thing during the holidays…
This is what you get if you're "challenged"-enough to use Microsoft operating systems. Just use Linux and 99% of those issues will go away.
Imagine using a youtuber's service for your business.
what i dont get: quad9 used threatstop to exclude them from DNS. beside the awesome support: shouldnt quad9 check better with whom they work?
arc browser!!!!
Why do they exist again?
compensate.. ez
Some of these companies should be held liable for damages caused by this. These sites are acting completely negligently and incompetently, and the fact that they are not getting hit with fines and damages over this is a pure injustice. "Oh, but what if they can't handle the fines?" Then they clearly don't deserve to be in fucking buisiness if they cause so much harm that they can't pay for it. Fucking insane.
everybody wants you to use only mobile for data
yeah... try messing with blacklisting places. they're worse.
dude, that sucks
This is scary, and cancerous.
Love quad9!!
13:35 week~end
Man don't know its intentional or not, your hair style changed between your rant was on but pristine when running the sponsor. Loved the detailing lol...
even my own app (they arent sign)
at least Windows Defender SmartScreen
Use the keyboard? What about submitting the form manually with the missing fields filled in.
I wish you’d tell me how you really feel. It’s a shame you’re holding back on your true feelings. I’m getting ready to roll out my own start up. I’m scared to death of having this kind of problem and not being able to get it resolved because I’m not you. Keep up the good work. By the way, feel more comfortable with your language. I think you’re kind of being too mild.
Same position here. My recommendation is be prepared both financially and mentally to take legal action, if and not when this happens to you. Get a lawyer to send a scary letter. It will suck and take time and money, but I don't see any other way.
@@Zerytherjust don’t host malware on ur domain?
Donate to quad9!!
Java Students creating forms oh boy...
checking to see if you are a bot LOL
Woah, I'm early
:OOO
1st
2nd actually
liar