Team OS : Your Only Destination To Custom OS !!

Welcome to TeamOS Community, Register or Login to the Community to Download Torrents, Get Access to Shoutbox, Post Replies, Use Search Engine and many more features. Register Today!

Tips & Tricks VirusTotal false positive - How to know?

juanamm

Respect to be respected
Verified Member
Member
Downloaded
1.3 GB
Uploaded
148 GB
Ratio
110.61
Seedbonus
78,421
Upload Count
154 (154)
VirusTotal false positive - How to know?



I am going to share some tips to help you know if a VirusTotal detection may or may not be a false positive.

Obviously this is not 100% certain as there are many virus writers who leave their Trojans or other malware undetectable, but it can be a good start when in doubt.

Always before the slightest doubt, install the program detected as malware in a VM or Windows Sandbox and monitor its behavior.

Here are the tips:
1)
You got it from the offical site, it's not impossible but unlikely to be bad

2) The antivirus that detects it is not one of the well-known ones, and it's the only one

3) Combine low detection rate with the age of the file (First Submission Time in the Details tab in VirusTotal): If it's a few months old, it's most likely clean. Old malware doesn't stay on low detection rates for that long.

4) Check the hash values of our download, we can go to the website of the developer of the program for which we have the installer and look for the MD5, SHA-1, SHA-256 code, etc. of its original installer. Once we have the two codes available, that of our downloaded file and that of the installer or software from the developer's official website, we can compare both and see if they match and our file is reliable or not.

5) Check if the file is signed and if that sign is valid. You also see that in the VirusTotal Details tab. Things like adware and unwanted programs can also be signed. But if you trust the company or organization that signed it, the file is most likely clean.


Example of a false positive:
vt_false_positive.png


vt_false_positive1.png


vt_false_positive2.png



How do I know that this detection is a false positive?


I have followed the advice shared above and I can assure you with high probability of certainty that it is a false positive because:

1) I am a beta tester for this company and have downloaded the file from a secure developer site.

2) AV that detects an adware is an unknown antivirus and it's the only one, does anyone know Jiangmin? The truth is the first time I see that AV.

3) The detection date and the file is new because it is a file that is in development, in this case the date is not useful.

4) I have compared the hashing algorithms of the downloaded file and they match those published by the developer on their website.

5) The file is signed, the signatures are valid and one of the signatures corresponds to that of the developer for which I am sure it is a legitimate file.



— Ok, this works when I download something from the official website of the author / developer / company, but what happens with the false positives of downloads from this forum?

— To know that, look at @Cyler's contribution below, it will be very helpful.
 
Last edited:

Cyler

Administrator
Downloaded
384.3 GB
Uploaded
21 TB
Ratio
56.04
Seedbonus
121,115
Upload Count
0 (0)
Very good info Juanamm, Just want to add that 2 more signs that a shown detection is a false positive which may apply more to our kind of software that we download from here.

1. The name itself. Often we will see a mix of the words, Something-Generic-something, Gen-something, PUA (Possible Unwanted, Application), Hacktool-xxx, Malicious-xxxx, Gen_Trojan, RiskTool, and in general not a specific virus name. The above can also be seen in variations like PUS (software) or PUF (file). The reason those names often pop is because of either the heuristic function, which essentially tries to guess if a part of code inside a program is a virus, based on some known code patterns or because after some time the medicine that is included along with programs get detected as a virus by the AV to scare/warn people.

2. We won't see the same virus name repeat on several antivirus engines concurrently and consistently. Some a/v will show one name, and, some others will show a different. If it was indeed a known virus, most AV will show the same name or the same sub variation.

As an example, look at the screen below and you will see exactly what I described above. Generic names (hacktool, Generic, malicious, etc) and each engine give its own name. You can understand how fake some programs and results are just by looking at the name. W32.AIDetectVM... AI as in Artificial Intelligence which is simply a catchphrase used from marketing to impress.

chrome_2020-11-24_14-49-36.jpg


Needless to say, no matter what, attention to detail and caution must be exercised always. Remember to scan the "medicine" as well as the main app. Dont be afraid to ask if you are not sure but don't wear the tinfoil hats either.
 
Last edited:

brugo

Member
Downloaded
22 GB
Uploaded
27.1 GB
Ratio
1.23
Seedbonus
5,169
Upload Count
0 (0)
Thank You for the post & Heads up Juanamm. I'd need to try a little harder when detecting Viruses, it ain't what i don't know that causes a fuss, it is the things i think i know for sure that causes the bother in the fist place.
 
Loading...
Top