VirusTotal & Jotti's, when is enough...enough?

If I scan a file using VirusTotal and Jotti's and Jotti's finds nothing but ViustTotal only has one program that detects a possible threat, is the file most likly a false alarm?


Can anyone recommend other online scanner similar to VT and Jotti's?


Thank you

 

Thanks JR, but most of those are already used by VT or Jotti, I was hopping for websites similar to those websites. But thanks none the less

 

Mr Gump, getting back to your first question ... most of us would agree that if there are few if any "hits" when you submit a file to Jotti and/or VT, the odds are pretty good that yes, it's a false positive if one of your own apps identified it as a threat.

Even a "unanimous opinion" (that the file's clean, that is) from the online scans is no guarantee, of course, but it's a pretty safe bet. A copy should be submitted to the developers of whatever flagged it as bad in the first place so they can evaluate it further and (hopefully) revise their defs appropriately.

 

thanks everyone

 

That is not a wise assumption to make.

1) It's well known that the on-board scanner is more often to be better uptodate than the online scanner. One developer remarked that the online scanner was not as thorough as its home product.

2) Today's polymorphic malware is very capable of fooling scanners. An early example was the Storm malware which updated every few hours. A recent blog on TDSS/TDL3 malware indicated repacking every few minutes, in some cases.

3) Javascript obfuscation (disguising) where the code is so heavily disguised that scanners fail to create a signature. Another type of obfuscation is "clutter." A good example was the Conficker autorun.inf file which many vendors failed to flag at first because the inclusion of 50+ KB of nonsense ASCII characters.

4) Modularization is a recent phenomenon. See Bojan Zdrnja's excellent analysis here:

Malware modularization and AV detection evasion
http://isc.sans.edu/diary.html?storyid=8857

Read how he discovered that a file marked clean by all products turned out to be malicious.

---------
rich

 

What about online sandbox analyzers like Anubis and ThreatExpert?

 

AFAIK it is possible to write code that checks whether the code is run inside VM/sandbox. This is to thwart analysis, file simply won't execute.

 

In the Diary I cited,the author mentioned that Anubis was fooled by the file:

Another analysis tool is Wepawet, for javascript/flash/pdf. It also has been fooled:

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
http://isc.sans.edu/diary.html?storyid=7867

Static analysis of malicous PDFs (Part #2)
http://isc.sans.edu/diary.html?storyid=7906

----
rich

 

Hello All!

Here is my own two cents on this issue...

First malware is complex, varied and ever changing as in a true polymorphic sense...

The second variable is that even Virustotal and Jotti scans are based on known variants already included in some database part of the scan member group. This in turns means that if none of them know of the malware it will more than likely be very successful, many will be infected and no one will be the wiser...

If you have reasons to believe that you have new unknown malware. You can try and use a sandbox analysis project such as JoeBox.org or Anubis and even wepawet. They will even process potentially hostile .pdf or even flash...

I have written an article The Best Defense is a Powerful Offense! if you read up on SandBox Malware Analyzers (near middle of article) you will find more information and resources listed.

 

Here you go: List of Online Anti-Malware (File) Scanners

 

VirusTotal and Jotti are looking for known threats. One a few occasions I've had malicious files that weren't recognized my most of the scanners. Those that did alert warned on the packing more than the file itself. One additional thing you can do when you're not sure of the results is to wait a couple of days, then check the file again. The files I tested that only a couple flagged the first time were flagged by about 3/4 of them a few days later.

If you can't wait for some reason, launch them on a virtual environment, or better yet, a well equipped test PC that monitors the entire install/launch process.

 

File 31553543.exe received on 2010.08.03 - Result: 0/42 (0.00%)

Uploaded for another scan just now:
31553543.exe received on 2010.08.09 - Result: 22/42 (52.39%)