Scanning with VirusTotal

Discussion in 'other anti-virus software' started by Less, Aug 8, 2009.

Thread Status:
Not open for further replies.
  1. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    248
    Uploaded a dll file @ VirusTotal.

    why so many names for a particular trojan?
    And some popular scanners didnt even flag out anything..

    so is this dll file ok? False Positive o_O

    ~~ removed VT summary per policy~~ (It's enough to say that about half the scanners picked the file up under many different general names while many big names showed it as clean.)
     
    Last edited by a moderator: Aug 8, 2009
  2. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    difficult to tell, think to yourself, how did you get it, was it downloaded/was it from a trusted source, if it wasnt and you havent seen before then where is it located, if you dont know any of those then look up the file on google and see if it might be a legitimate file
     
  3. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    Industry lacks any unified naming convention. Each vendor has their own logic, some clearer than others :)

    And some scanners pick up files solely based on packers used, it's easier for them to just classify everything packed (with packer known to be in use with malware authors) than to unpack it etc.

    Not saying this is the case here since I didn't see the results. Also, some vendors are more prone to heuristic false positives than others (case in point, Ikarus taking a2 with them). Also, not saying this is the case here :)


    Probably safer for you to send that file for further analysis to the vendor whose product you use.
     
  4. bollity

    bollity Registered Member

    Joined:
    May 9, 2009
    Posts:
    179
    i think if the big names ( kaspersky , avira , avast , norton, gdata,....) tell the file is clean then you can keep it.
     
  5. tesk

    tesk Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    100
  6. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    Err?

    Of course you should use them, to see if those files are known malware.

    And what comes to for example ThreatExpert and others of its kind, you need knowledge of Windows processes and files and deeper understanding of what goes on in your computer before you can really understand the results.
     
  7. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    it's not so much a lack of a unified naming convention (because there is the CARO naming convention that a lot of them follow) but rather a lack of coordinated naming. a naming convention specifies what the general format of the name should be but it can't specify what the actual name of something new should be - that still has to be decided on by the vendor. and since their priority is rushing signatures out to the customer as fast as possible there isn't time to ask all the other vendors "have you seen this yet? what are you calling it?" for each and every new piece of malware they get each day so they just come up with their own label and slap it on.

    agreed - if you're suspicious of the file, get an actual expert to look at it, rather than just an automated service.
     
  8. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    I was aware of the similar naming scheme some vendors use, but unaware of the entire CARO thing, good to know.
     
  9. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    But take any results from such services with a pinch of salt as many pieces of malware may not reveal any incriminating results on behaviour analysis services.....

    Virustotal results should also not be taken to face value because factors such as versions used, scan settings, database version etc etc etc which can all influence whether a file is flagged or not, however it can serve as a general indicator of whether a file is known malware or not.
     
  10. dschrader

    dschrader AV Expert

    Joined:
    Mar 10, 2009
    Posts:
    54
    Regarding naming - there are up to 20,000 new viruses, trojans and worms per day. There is no way to coordinate naming among vendors.
     
Loading...
Thread Status:
Not open for further replies.