How far do you trust Virustotal results?

Discussion in 'other anti-malware software' started by Carbonyl, Jan 14, 2010.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Here's a rather stupid question for you all: Notwithstanding the obvious disclaimer they put on their site, how far to do typically feel safe interpreting the results from Virustotal?

    I only ask because lately I've seen two different viewpoints regarding files which give a low number of detections. Obviously if everything lights up across the board, it's an unsafe file. But in recent days I've seen these two opinions crop up on different locations across the web:

    "Oh, it was only 1/41 that said it was infected. It must be a false positive!"

    "Wow, only 1/41 detect this. It's a really nasty virus. Why are the AV companies slacking off?"

    Usually I'll never let a file touch my system if Virustotal comes back with any positive responses. But lately I'm beginning to wonder if that's too paranoid an option.
     
  2. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    There is no such thing as a stupid question. It's a matter of perception.

    I always trust Virustotal. I upload all my suspicios files to Virustotal .If any AV detects , then i'll not use that software.

    Thats good eventhough that file is a FP.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Excellent question. And one that it hard to answer. I suppose I incorporate the Virustotal results into a mix of inquiries and comparisons and search results. I do tend to place weight on the preponderance aspect. I do not rely upon their results to the point that I will not allow a file on my system if one or two positives come back. I may have been very lucky all these years, or maybe my methodology works. Probably both. ;)
     
  4. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    If only 1/41 detect it I check what vendor detected it. If it's a vendor known for FP's I think its most likely an FP.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    VirusTotal and Jotti have often given a wrong impression because a particular scanner hasn't reported a file to be malware. Various vendors have noted that the online scanner is different than the one installed on a user's system, and the online version may not be exactly up to date with its signatures.

    Some years ago a particular zero-day file that returned 0 results on line the first day had in fact been flagged by two products, as reported by users at DSLR.

    This is not to say that the online scanners are not useful, but that the results should not be taken as the definitive statement.

    regards,

    -rich
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I don't trust it at all.
     
  7. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Very interesting replies from everyone! It seems we all have varying levels of acceptance for this online tool. :D

    I'll note that I agree with you completely, Rmus, when you speak of the differences in detection between realtime running A/V and the command line version used by VirusTotal. Some places, like Internet Storm, seem to think that VirusTotal is a definitive measure of how vendors detect threats - Case in point, check out the latest rundown of Malicious PDF threats, wherein 8/41 AV suites detect the threat on VirusTotal. Of course, this discounts heuristics in many cases.

    On the flip side of the coin, this morning I took some time to analyze a fairly popular, free piece of software that many of my friends play regularly: Dwarf Fortress. It seems to give some hits on VirusTotal for some of the exe and dll files packed in with the game - But given it's prevalence and popularity, I'd guess those are false positives.

    It's becoming a bit difficult to disambiguate the results! Seems that positive hits across the board are really the only 'solid' indication of anything, with negative results not necessarily correlating to actual 'missed' threats by AV.

    Good point! In this day and age where more and more rapidly changing threats are slipping past even respected AV solutions, that's becoming harder and harder to do. At least in my opinion.
     
  8. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    there's a serious disconnect from reality here. anti-malware tools can tell you that something malicious is present, but they cannot tell you something malicious is not present - like proving a negative, it's simply not possible. if you only get one hit at virustotal, or even if you get zero hits, that doesn't mean the file is safe, it doesn't mean there's nothing malicious in there only that the anti-malware tool couldn't find anything malicious.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I'd have to say that you've just called attention to the obvious. :)
     
  10. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    i should like to think so, but the question posed seemed to indicate otherwise. virustotal and it's ilk does not and cannot say something is safe, ergo there is no 'this is safe' result from it to trust or not trust.

    people naturally infer from the absence of a 'this is malicious' result that something is safe, because they assume there are only 2 answers ('safe' or 'malicious'). but it's a false inference because there are 3 answers - the 3rd answer is 'unknown'. the only 2 results virustotal can give are 'malicious' or 'unknown'. with that understanding the question of whether to trust virustotal's results changes drastically.
     
  11. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    I, on the other hand, almost always expect certain vendors to flag files I submit there.

    There are vendors who seem to flag files simply because they are packed in a funny way :)

    I have a healthy distrust for virustotal, especially towards certain vendors which seem almost too happy too use generic or heuristic detections.


    If there is no specific named detection I tend to discard that vendor's result in my mind. I give more credit to sandboxed analysers, such as ThreatExpert, than I give to virustotal these days.
     
  12. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Yes, indeed. For example, Norton File Insight (a component of Norton Internet Security 2010) will sometimes return that “3rd answer,” namely: “Unproven -- there is not enough information about this file to recommend it.”
     
  13. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    Trust VirusTotal?

    Hell no!

    VT is quite pointless, as lets face it - people have an anti-virus/anti-malware product installed and only that will tell them if something is malicious, how would one know without such detections?

    also, even in the event of infection or something misteriously happening with the normal usage of your machine that would lead you to believe to such, thats what support is for for the product your using, & they will help you fix it or pinpoint it.

    i never use VT, nor will i ever to check any file or 'what if' on my machine.

    it doesnt hurt to have a secondary backup scanner, but VT is not this.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There's several variables involved in interpreting VT results. When only 1 or 2 detect a problem, there's 2 possibilities:
    1, False positive.
    2, Brand new malware.
    I've had both results happen. When I get that type of scan results, I'll usually wait a day or 2, then scan the file again. If it's still just 1, it's probably a FP. If there's more detections, it was new malware.

    Where you got the questionable file will have a lot to do with the conclusion you come to with those types of scan results.
     
  15. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    When that happens you can fill in the blanks with a little more research . Google for both the MD5 and file path . Google the version into . Was the file loading from a powerful point (notify , service .....) but has completely blank version info , this is usually a dead giveaway . Does it load from an obscure load point like explorer run or appcert dll , almost none of those are legit .

    If you want to go a little further look for things that just don't seem right like MS version info and UPX packing or super odd looking PE sections (1 char or 8 chars) . Look for version info that is impossible like a file that says it is svchost or mismatched vendors or impossible version info like company name sdiufgasdgfskdhfahsdhfhasdhfasdgh .

    In short unless VT is over 50% and more or less matching detections you cant be sure without some digging .
     
  16. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    In my opinion, if you have to send something you have downloaded to VirusTotal, you already do not trust the download. Therefore it is only wise not to execute it ;)
     
  17. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    That's a bit like saying, if you have to wear a seatbelt, then you don't trust your car, so you'd better not drive. :)

    I understand what you mean. But people are just trying to be as thorough as they can be. It's smart to examine the file from several different angles, of which Virustotal is one.
     
  18. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Of course. However, even after much analysis, things do slip through the cracks. Therefore it is only safe to assume when you download something from a reputable source it has a lesser risk factor then downloading and executing an executable from an untrusted source.

    But again, nothing is safe. I installed a motherboard from a trusted distributor onto a friends computer, to which the drivers had a backdoor patched into them ;) Security is all about minimizing the risks, as you can't eliminate all of them, therefore one has to help their own security by minimizing their potential exposure to the risks.
     
  19. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I agree with you completely. I admit that I like to game in my limited spare time. Usually I get most of my downloads for this through Steam, but lately friends have been pointing me toward some other freeware options (Spelunky, aforementioned Dwarf Fortress). 'Freeware' makes me nervous enough, but I don't trust anyone's website these days. It's just way too easy for unscrupulous individuals to hijack, redirect, and replace files.

    I run NOD32, but part of the reason I asked the question is that NOD often comes up as one of the AV solutions that 'misses' current threats on VT scans, and that made me slightly concerned. I think enough info was presented above, though, for me to dismiss those concerns!
     
  20. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I always scan all the files that i can upload (not too big) through virustotal.
    Most of the time if it's clean, then i take it as clean :D

    If it gets flagged, i usually take the decision by lots of factors, such as: Place downloaded, software origin and more.

    Then if i still find it dangerous, i just hook up Returnil/VM and test it :D
     
  21. kaixi

    kaixi Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    17
    It depends on who flags the file as malware. Microsoft is known for their extensive QA testing, so if Security Essentials flags it, I'm more likely to think it's malware. If only 1 or 2 vendors (not Microsoft) flag a file and it's a packer, then I'm more likely to think that they're FPs.
     
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I think it's a valid tool.

    It does not 'prove' that something is clean, but I find it a useful tool for figuring out what is safe. Of course, it's only one of the steps I take before downloading (and executing) software.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's not just a question of trusting the download or the company. Servers get hacked. A file that was clean yesterday could have been replaced with an infected one. Scanning what should be safe downloads is recognizing the fact that nothing on the internet is truly secure.
     
Loading...
Thread Status:
Not open for further replies.