Strange things happen, VirusTotal Test

Discussion in 'malware problems & news' started by softtouch, Apr 4, 2009.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I create a Delphi 2007 project, just an empty project, compile it, scan it with prevx edge and nod32 v4, and all is clean.
    I then upload the exe to virustotal, and it shows me 15/40 flagged it...

    HOW can this be?

    I uploaded the file to my own server, downloaded it from there, and its still clean...

    The file is here:
    Code:
    http://www.delphifreeware.com/downloads/testfile.exe
    This is NOT malware or a Virus etc., its just an empty delphi 2007 project, compiled.
     
    Last edited: Apr 4, 2009
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    I think you should not link to live .exe, especially if they're suspicious. Second, I don't think forum TOS allows linking to VT or Jotti scan results, so you might wanna think that one through, as well.

    I recommend you give us detailed instructions how to replicate your problem and check for ourselves.

    Mrk
     
  3. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Wow!
    That's a suprise :eek:

    It's a good thing that Avast and AntiVir did not detect it as malware.
    I've relied on those two heavily the past years.
     
  4. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Instructions to replicate are there in the post, but here again, edited:
     
  5. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Many AVs use automated analysis to detect malware. Clearly many AV's automated detection methods detected this for some reason so many had the FP.
     
  6. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Yes, but it is a) bad for the business and b) some of the AV they use at VT, and which I have here, tell me after a local scan that nothing is wrong with the file... this is strange.
     
  7. yashau

    yashau Registered Member

    Joined:
    Oct 13, 2008
    Posts:
    151
    It's not even 15 anymore. When I uploaded it to VT it showed 22 engines detected it. :O
     
  8. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    That's funny, right?

    It does not even have any code from me inside, JUST a plain, empty Delphi 2007 project, compiled to an executable.

    Did your local AV complain about it? I bet it was quiet...

    Maybe VT has a virus itself... hehe

    New project with Delphi 7 result in 6/40
    New project with Delphi 5 result in 0/40

    As higher the Delphi version (and more compatible to Vista), as more it gets flagged.
     
    Last edited: Apr 6, 2009
  9. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    a) Yes, AVs dont want FPs, Yes, AVs have FPs - we all know that - whats your point?
    b) Maybe the AVs you are scanning with doesnt detect it? If it shows as detected on VT and not on your computer, it may be because of different settings
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    That's odd, because to my knowledge, ClamWin uses no heuristics whatsoever.
     
  11. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    a) Not bad for their business, but bad for my business... MY clients complain that MY software has a trojan, even it has not.

    b) I used the same AV's as listen on VT. Currently scanning with AVG, and it tells me its clean. But VT tells me it has a trojan.

    For example, prevx uses the database on a server to check the file.
    VT's prevx tells me it is malware, but my installed prevx tells me its clean.
    How can that be? I just don't get it...
     
  12. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    a) Ohhhh, you mean generally! - sorry, I thought you meant it as this case specifically (with the sample which does nothing).
    Think this is a bit of a loss-case then, to be honest, AVs are not going to change their ways just because of your samples (no offense mate), they'll need far more FPs to do anything about it. All you can do is send it to the AVs as false-positives if they are detected... although I'm not sure about the case of below - I agree, shouldnt need to send it in the first place, but thats the way it works.

    b) Strange indeed - different configurations is the only thing I can think of.
     
  13. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    My observation related to my test file, VirusTotal:

    Empty Delphi 2007 project, compiled as executable - 22/40
    Added 1 line of code - 2/40 (Ikarus and a-squared always)

    So, its a FP for sure. But, must I now submit it to all the 22 AV companieso_O
     
  14. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I submitted the FP program to all AV companies which flagged it at virustotal.
    The ONLY one who responded to is was AVG:

    "Unfortunately, the previous virus database might have detected the mentioned virus on some legitimate applications. We can confirm that it was a false alarm. We have immediately released a new virus update that removes the false positive detection on this file. Please update your AVG and check your files again."

    ALL other did not do anything within 48h after submission.
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,958
    Location:
    U.S.A.
    softtouch, glad to hear that AVG responded and I can confirm that your testfile.exe is clean with AVG:

    2009-04-11_190603.gif
     
  16. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Thanks for the test. My concern are the other 17 which did not update their definitions yet.

    I only learned about the issue when clients started to email me that my programs are infected, even I was sure they are not.
     
Thread Status:
Not open for further replies.