Tips on reading VirusTotal results

Discussion in 'malware problems & news' started by EscapeVelocity, May 2, 2010.

Thread Status:
Not open for further replies.
  1. EscapeVelocity

    EscapeVelocity Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    368
    How do you read VirusTotal, if any of the 40 or so results is positive its dirty? Or do you require more than one positive?

    Thanks
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    one will be more than enough for me not to trust any file:D that is me:)
     
  3. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Above 10 would be good...
     
  4. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    With a pinch of salt :)

    Check what imports the file has, if there is a ThreatExpert report on it, and what hit(s) google has for that MD5.
     
  5. EscapeVelocity

    EscapeVelocity Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    368
    Here is a VirusTotal report with 5 positives on ~Link removed. See the Policy.~ Combofix download[/URL]...
     
  6. EscapeVelocity

    EscapeVelocity Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    368
  7. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Agree, and check which scanner is giving the result. If it's symantec, giving the only report, I usually rate that higher over a smaller AV which might have far more false positives.
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  9. ALiasEX

    ALiasEX Registered Member

    Joined:
    Mar 30, 2010
    Posts:
    240
    Unless the detection is Symantec.Insight. :cautious: They should remove that from the engine used by VirusTotal.
     
  10. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I always take my final decision on me, i mean even if a few AV's flagged it as malware and i know this file is clean i consider it clean. (Based on other aspects)

    Of course if lots of AV's flagged it as malware i won't open it :D
     
  11. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, funny that you mention this. It seems that AV vendors have completely lost their sense of humour. The bellow are the results for completely innocent PlaceboAV joke. Leaving the other misclassifications aside, one strikes me really. Fraudtool?! Looks like the mankind is doomed if someone buys this product. :rolleyes: o_O

    ~Virus Total results removed per Policy~
     
    Last edited by a moderator: May 5, 2010
  12. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    If the first submission of the file is really recent then my opinion is that the results have no value at all.

    - If the file is known to virustotal for more than a week-10 days, then you can start to trust the results.
    - Check what Ikarus says since it seems the more "honest" AV out there, specially if your file is a high risk file, like a keygen/patch.
    - Check if the rest of the AVs agree about the file.
    - Compare what signature based AVs say and what those that have a cloud technology.
    - Then...check what ThreatExpert has to say.
    - At the end...ok, you know it...you cannot be sure 100%. So ignore virustotal and run the file on an isolated virtual machine or using software like shadow defender. Sandboxie could be an option too.
     
Thread Status:
Not open for further replies.