Do you trust VirusTotal scan results?

Discussion in 'polls' started by Tyrizian, Jul 20, 2014.

?

Do you trust VirusTotal scan results?

  1. Yes

    80.0%
  2. No

    13.3%
  3. Not too sure

    6.7%
  1. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    I am not asking if VirusTotal is trusted as a service or who it is controlled by.

    Simply put

    Do you trust VirusTotal scan results?

    Do you think it is a reliable source, when scanning malicious files?
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Against false negatives, it has 99.9% of my trust. False positives are another story.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    Yes I do. When I'm in doubt (different results - possibility of FPs) I check results only from AVs that, by my experience, have very little FPs. I also check when the file was last scanned and if it was long time ago I upload it to be scanned again.
     
  4. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,018
    Yes, I do trust VT. :thumb:
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    At the moment it´s the only scanning service that I´m using. I would rather trust VT than a standalone scanner. :)
     
  6. guest

    guest Guest

    Unless it's the result from ClamAV or AVG, if I was using VT I will accept the flagged/detected results. As for determining if a file is presumably safe, I have other countermeasures.
     
  7. wallpapers

    wallpapers Registered Member

    Joined:
    Jun 15, 2012
    Posts:
    42
    Virustotal does not provide absolute protection but increases your chances of detecting a malware. Download some fresh malware and see by yourself. The "orbit downloader" event is a good reason why you cannot rely only on blacklist solutions like antivirus/virustotal to determine if a file is malicious or not.
     
  8. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I use VirusTotal and Jotti for submitting new samples, cause they both supposedly share the samples with all the partnered AVs. Or if I'm just curious to get a gist of what picks up what (yes, knowing that the results aren't meant to be a 100% of real world results of various AVs). When the submitted file is all clear, 0/57 or whatever, then you're just stuck with looking at the other information like comments, votes or behavioral information. Easy way to check file hashes too.

    But
    https://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
    Always remember that just because nothing picks anything up doesn't mean the file is clean- it could just mean you have a fresh wild sample (which I've witnessed first hand). The people pumping out the malicious stuff also use their own versions of VirusTotal-like scanning sites (which do not share the files to AVs) to make sure nothing picks them up before putting them out in the wild. Then once their stuff starts getting picked up, they just re-crypt it.

    So no, I don't trust the scan results, but it's useful to upload things to start getting a gist of what you have. When in doubt find a AV which allows people to send in files and hope they'll at least listen to your concerns. I've found some to actually be kind of snotty and treat you like you're submitting them an obviously safe install_flashplayer.exe or something.
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Yeah I trust it (I use VT Hash Check specifically). I don't so much trust the results of a few of the scanners. They have a ton of FP's. If something is detected only by those 2-3 usual suspects (they're very obscure AV's), and not by any of the well known & reputable vendors, then I know I can just write it off as a FP.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes correct, but I still doubt that a standalone scanner would be able to spot the malware, if none of the scanners on VT spot anything. I mean how good is heuristics nowadays? That´s why I rely on HIPS and sandboxing. :)
     
  11. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Two questions. Both answers: yes
     
  12. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    1. The AV engines are commandline versions and are not the same as the desktop counterparts.
    2. A green checkmark does not equate to "goodware" or "clean". It just means 'maliciousness" was not detected.
    3. Binary obfuscation increasingly being used in malware.

    Virustotal is nothing more than a secondary opinion scanner with its own limitations. Better than nothing I suppose but not the ultimate detection tool some may have mistaken it for...

    https://www.virustotal.com/en/faq/
     
  13. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I voted yes, but with a caveat: It is a reliable source to check if something might be suspicious and thus should be subjected to strict analysis and avoided until such analysis is provided by a trusted source. All VT does is to run a specific sample against the current signatures in a finite list of popular AV/AM solutions. While this is useful information, it does not rise to the level of a definitive determination.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    @ safeguy and Coldmoon

    So do you both recommend a standalone AV in combination with VT? I must admit, I have been relying on VT for the last 6 years, I got fed up with bloated AV products. :)
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No, because in many years of looking at exploits, too often VT reported 0/35 for recently discovered malware. I recall the Conficker worm from 2009:

    http://channelnomics.com/2012/10/17/10-month-days-renew-focus-heuristics/
    I remember a booby-trapped .RTF file I obtained to test. It was a targeted exploit, and VT had no detection. Yet, it was malicious, using Microsoft Packager.exe (installed on all computers) to extract an embedded .SCR file which did the dirty work:

    ae-alert.gif

    Emails with attachments targeted to organizations are very clever, and employees can be understandingly fooled.
    But suppose an employee is suspicious, and uses the organization's AV to check, and it passes, and also uses VT, and it passes, then the malware succeeds (or not) depending on the other security in place at the organization.

    ----
    rich
     
    Last edited: Jul 26, 2014
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,892
    I'll keep trusting it.
     
  17. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    not too sure, as antivirus can not detect any kind of malware.
     
  18. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Personally, I'm not a fan of real-time desktop AV myself...they are not really my cup of tea. I do use VT too but I just want to point out the limitations.

    That being said, desktop AV have their own advantages (compared to a commandline scanner limited to heuristics and signatures). Whether or not someone wants to use one is up to the person himself.

    I'm not a malware analysis expert so I won't do recommendations. That would be irresponsible of me.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    @ safeguy

    Yes, a real-time AV is out of the question for me, but I even ditched on demand scanners (like Avira) because they were not worth it, they became way too heavy and bloated. But what I meant is that if you scan some app for malware, would you trust on VT alone, or always scan it with some standalone AV? :)
     
  20. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Lastline Labs malware researchers studied hundreds of thousands of pieces of malware they detected
    for 365 days from May 2013 to May 2014, testing new malware against the 47 vendors featured in
    VirusTotal to determine which caught the malware samples, and how quickly.

    The focus of this test is to determine how fast the anti-virus scanners catch up with new malware.

    Even after 2 months, one third of the AV scanners failed to detect many of the malware samples.

    Some other interesting findings of this Lastline Labs research:

    • On Day 0, only 51% of AV scanners detected new malware samples
    • When none of the AV scanners detected a malware sample on the first day, it took an
    average of two days for at least one AV scanner to detect it
    • After two weeks, there was a notable bump in detection rates (up to 61%), indicating
    a common lag time for AV vendors
    • Over the course of 365 days, no single AV scanner had a perfect day - a day in which
    it caught every new malware sample
    • After a year, there are samples that 10% of the scanners still do not detect

    This analysis does not single out any AV vendor, and provides only insights based on VirusTotal
    data (with the caveats expressed at the beginning).

    http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up

    I have used virustotal as a secondary scanner many times, but would have to say no to trusting it's results.
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    All these test data are fine and all, but let's not forget real-world effectiveness here. That's my basis for my previous statement.
     
  22. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    VT is just a guide.
     
Loading...