Tips on reading VirusTotal results

How do you read VirusTotal, if any of the 40 or so results is positive its dirty? Or do you require more than one positive?

Thanks

 

one will be more than enough for me not to trust any file that is me

 

Above 10 would be good...

 

With a pinch of salt

Check what imports the file has, if there is a ThreatExpert report on it, and what hit(s) google has for that MD5.

 

Here is a VirusTotal report with 5 positives on ~Link removed. See the Policy.~ Combofix download[/URL]...

 

Ooops.

 

Agree, and check which scanner is giving the result. If it's symantec, giving the only report, I usually rate that higher over a smaller AV which might have far more false positives.

 

You might like this write-up
http://blog.didierstevens.com/2008/04/21/only-x-out-of-32-antivirus-products-detect-this/
as posted
https://www.wilderssecurity.com/showthread.php?t=208007

 

Unless the detection is Symantec.Insight. They should remove that from the engine used by VirusTotal.

 

I always take my final decision on me, i mean even if a few AV's flagged it as malware and i know this file is clean i consider it clean. (Based on other aspects)

Of course if lots of AV's flagged it as malware i won't open it

 

Well, funny that you mention this. It seems that AV vendors have completely lost their sense of humour. The bellow are the results for completely innocent PlaceboAV joke. Leaving the other misclassifications aside, one strikes me really. Fraudtool?! Looks like the mankind is doomed if someone buys this product.

~Virus Total results removed per Policy~

 

If the first submission of the file is really recent then my opinion is that the results have no value at all.

- If the file is known to virustotal for more than a week-10 days, then you can start to trust the results.
- Check what Ikarus says since it seems the more "honest" AV out there, specially if your file is a high risk file, like a keygen/patch.
- Check if the rest of the AVs agree about the file.
- Compare what signature based AVs say and what those that have a cloud technology.
- Then...check what ThreatExpert has to say.
- At the end...ok, you know it...you cannot be sure 100%. So ignore virustotal and run the file on an isolated virtual machine or using software like shadow defender. Sandboxie could be an option too.