How far do you trust Virustotal results?

Here's a rather stupid question for you all: Notwithstanding the obvious disclaimer they put on their site, how far to do typically feel safe interpreting the results from Virustotal?

I only ask because lately I've seen two different viewpoints regarding files which give a low number of detections. Obviously if everything lights up across the board, it's an unsafe file. But in recent days I've seen these two opinions crop up on different locations across the web:

"Oh, it was only 1/41 that said it was infected. It must be a false positive!"

"Wow, only 1/41 detect this. It's a really nasty virus. Why are the AV companies slacking off?"

Usually I'll never let a file touch my system if Virustotal comes back with any positive responses. But lately I'm beginning to wonder if that's too paranoid an option.

 

There is no such thing as a stupid question. It's a matter of perception.

I always trust Virustotal. I upload all my suspicios files to Virustotal .If any AV detects , then i'll not use that software.

Thats good eventhough that file is a FP.

 

Excellent question. And one that it hard to answer. I suppose I incorporate the Virustotal results into a mix of inquiries and comparisons and search results. I do tend to place weight on the preponderance aspect. I do not rely upon their results to the point that I will not allow a file on my system if one or two positives come back. I may have been very lucky all these years, or maybe my methodology works. Probably both.

 

If only 1/41 detect it I check what vendor detected it. If it's a vendor known for FP's I think its most likely an FP.

 

VirusTotal and Jotti have often given a wrong impression because a particular scanner hasn't reported a file to be malware. Various vendors have noted that the online scanner is different than the one installed on a user's system, and the online version may not be exactly up to date with its signatures.

Some years ago a particular zero-day file that returned 0 results on line the first day had in fact been flagged by two products, as reported by users at DSLR.

This is not to say that the online scanners are not useful, but that the results should not be taken as the definitive statement.

regards,

-rich

 

I don't trust it at all.

 

Very interesting replies from everyone! It seems we all have varying levels of acceptance for this online tool.

I'll note that I agree with you completely, Rmus, when you speak of the differences in detection between realtime running A/V and the command line version used by VirusTotal. Some places, like Internet Storm, seem to think that VirusTotal is a definitive measure of how vendors detect threats - Case in point, check out the latest rundown of Malicious PDF threats, wherein 8/41 AV suites detect the threat on VirusTotal. Of course, this discounts heuristics in many cases.

On the flip side of the coin, this morning I took some time to analyze a fairly popular, free piece of software that many of my friends play regularly: Dwarf Fortress. It seems to give some hits on VirusTotal for some of the exe and dll files packed in with the game - But given it's prevalence and popularity, I'd guess those are false positives.

It's becoming a bit difficult to disambiguate the results! Seems that positive hits across the board are really the only 'solid' indication of anything, with negative results not necessarily correlating to actual 'missed' threats by AV.

Good point! In this day and age where more and more rapidly changing threats are slipping past even respected AV solutions, that's becoming harder and harder to do. At least in my opinion.

 

there's a serious disconnect from reality here. anti-malware tools can tell you that something malicious is present, but they cannot tell you something malicious is not present - like proving a negative, it's simply not possible. if you only get one hit at virustotal, or even if you get zero hits, that doesn't mean the file is safe, it doesn't mean there's nothing malicious in there only that the anti-malware tool couldn't find anything malicious.

 

I'd have to say that you've just called attention to the obvious.

 

i should like to think so, but the question posed seemed to indicate otherwise. virustotal and it's ilk does not and cannot say something is safe, ergo there is no 'this is safe' result from it to trust or not trust.

people naturally infer from the absence of a 'this is malicious' result that something is safe, because they assume there are only 2 answers ('safe' or 'malicious'). but it's a false inference because there are 3 answers - the 3rd answer is 'unknown'. the only 2 results virustotal can give are 'malicious' or 'unknown'. with that understanding the question of whether to trust virustotal's results changes drastically.

 

I, on the other hand, almost always expect certain vendors to flag files I submit there.

There are vendors who seem to flag files simply because they are packed in a funny way

I have a healthy distrust for virustotal, especially towards certain vendors which seem almost too happy too use generic or heuristic detections.


If there is no specific named detection I tend to discard that vendor's result in my mind. I give more credit to sandboxed analysers, such as ThreatExpert, than I give to virustotal these days.

 

Yes, indeed. For example, Norton File Insight (a component of Norton Internet Security 2010) will sometimes return that “3rd answer,” namely: “Unproven -- there is not enough information about this file to recommend it.”

 

Trust VirusTotal?

Hell no!

VT is quite pointless, as lets face it - people have an anti-virus/anti-malware product installed and only that will tell them if something is malicious, how would one know without such detections?

also, even in the event of infection or something misteriously happening with the normal usage of your machine that would lead you to believe to such, thats what support is for for the product your using, & they will help you fix it or pinpoint it.

i never use VT, nor will i ever to check any file or 'what if' on my machine.

it doesnt hurt to have a secondary backup scanner, but VT is not this.

 

There's several variables involved in interpreting VT results. When only 1 or 2 detect a problem, there's 2 possibilities:
1, False positive.
2, Brand new malware.
I've had both results happen. When I get that type of scan results, I'll usually wait a day or 2, then scan the file again. If it's still just 1, it's probably a FP. If there's more detections, it was new malware.

Where you got the questionable file will have a lot to do with the conclusion you come to with those types of scan results.

 

When that happens you can fill in the blanks with a little more research . Google for both the MD5 and file path . Google the version into . Was the file loading from a powerful point (notify , service .....) but has completely blank version info , this is usually a dead giveaway . Does it load from an obscure load point like explorer run or appcert dll , almost none of those are legit .

If you want to go a little further look for things that just don't seem right like MS version info and UPX packing or super odd looking PE sections (1 char or 8 chars) . Look for version info that is impossible like a file that says it is svchost or mismatched vendors or impossible version info like company name sdiufgasdgfskdhfahsdhfhasdhfasdgh .

In short unless VT is over 50% and more or less matching detections you cant be sure without some digging .

 

In my opinion, if you have to send something you have downloaded to VirusTotal, you already do not trust the download. Therefore it is only wise not to execute it

 

That's a bit like saying, if you have to wear a seatbelt, then you don't trust your car, so you'd better not drive.

I understand what you mean. But people are just trying to be as thorough as they can be. It's smart to examine the file from several different angles, of which Virustotal is one.

 

Of course. However, even after much analysis, things do slip through the cracks. Therefore it is only safe to assume when you download something from a reputable source it has a lesser risk factor then downloading and executing an executable from an untrusted source.

But again, nothing is safe. I installed a motherboard from a trusted distributor onto a friends computer, to which the drivers had a backdoor patched into them Security is all about minimizing the risks, as you can't eliminate all of them, therefore one has to help their own security by minimizing their potential exposure to the risks.

 

I agree with you completely. I admit that I like to game in my limited spare time. Usually I get most of my downloads for this through Steam, but lately friends have been pointing me toward some other freeware options (Spelunky, aforementioned Dwarf Fortress). 'Freeware' makes me nervous enough, but I don't trust anyone's website these days. It's just way too easy for unscrupulous individuals to hijack, redirect, and replace files.

I run NOD32, but part of the reason I asked the question is that NOD often comes up as one of the AV solutions that 'misses' current threats on VT scans, and that made me slightly concerned. I think enough info was presented above, though, for me to dismiss those concerns!

 

I always scan all the files that i can upload (not too big) through virustotal.
Most of the time if it's clean, then i take it as clean

If it gets flagged, i usually take the decision by lots of factors, such as: Place downloaded, software origin and more.

Then if i still find it dangerous, i just hook up Returnil/VM and test it

 

It depends on who flags the file as malware. Microsoft is known for their extensive QA testing, so if Security Essentials flags it, I'm more likely to think it's malware. If only 1 or 2 vendors (not Microsoft) flag a file and it's a packer, then I'm more likely to think that they're FPs.

 

I think it's a valid tool.

It does not 'prove' that something is clean, but I find it a useful tool for figuring out what is safe. Of course, it's only one of the steps I take before downloading (and executing) software.

 

It's not just a question of trusting the download or the company. Servers get hacked. A file that was clean yesterday could have been replaced with an infected one. Scanning what should be safe downloads is recognizing the fact that nothing on the internet is truly secure.