Virustotal: 20/36 AV tells me its malware

Discussion in 'malware problems & news' started by softtouch, Aug 12, 2008.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I uploaded a file to virustotal.
    The scan resulted in 20/36 (55.56%).
    But, all the "big" av's did not detect anything bad, like nod32, kaspersky, bitdefender etc.
    What shall I think about that file? Trojan or not? I am clueless. If so many detect it as a trojan dropper, why none of the "big" av did?
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Hopefully this will be moved to the Other Av Forum where it will receive more attention.
     
  3. guest

    guest Guest

    link?
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
    file's name?
     
  5. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    The fact that Big Brand av don't detect it means nothing. Reupload the file after the while, chose the option to rescan and see which avs detect it.
     
  6. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    ( newvirus@kaspersky.com <newvirus@kaspersky.com> )

    Send the file here. Then you will get a reply.

    They will probably send you a message within a few hours.
     
  7. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    The filename is brander.exe.

    Its a program which brand title, copyright, banner etc. of my products.
    Its for the publisher of my products, so he can brand his software before giving it out.

    It does nothing suspicious, it just modify some text and other data inside the exe of my products. Can such a behavior trigger such a false alarm?
     
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, I think modifying executables is considered a highly suspicious behavior.

    If you trust that application and it's vendor keep using it, but as stated before, you can re-scan it in VirusTotal in a few days, and see if % of detection changes. If the "big" AV's start flagging it, there's something wrong, and you shoul consider sending a sample by e-mail reporting the FP.
     
  9. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
    softtouch, run the brander.exe file through Jotti's Malware Scan for a second opinion and as HURST said, send a sample to your AV vendor as a False Positive result. Look at their Web site for instructions on how to report FPs.
     
  10. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Flagged by 8 of 20 scanner at jotti.
    Flagged by AVG, Avast, ClamAV, CPSecure, F-Prot, Ikarus, Sophos, VirusBuster, but not by NOD32, Kaspersky, Bitdefender and other major AV.
    I slowly lost my trust in AV's...
    I know for sure its not malware, because I wrote it, in Delphi, and do nothing special in the code, just loading an exe, searching for text and replace text, and write the exe back.
     
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I suggest you to report the FP.
    And you can also consider forgetting about AV's and try other solutions such as HIPS or sandboxes.
     
  12. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Isn't that something any decent heuristics should detect as malware? I mean, what else is a typical virus, then a program that reads an EXE, adds/modifies a part of it and writes it back?

    :)

    Cheers
    Vlk
     
  13. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I don't think so. If it would use calls like WriteProcessMemory, than thats suspicious. A decent AV will analyse the functions, and thats why NOD32, Kaspersky and Bitdefender did not trigger any alert, just all the "cheaper" AV out there. I know, I could just ignore it, but many are using free AV's, and I get email after email that the brander is a virus, a trojan, and already a keygen.
     
  14. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I believe, most AV are screwed up a little...

    The harmless program, which change text, is flagged as malware by 20 of 36 AV.

    I just wrote a small program, which inject into notepad's process memory another code, and run it. THIS is virus behavior pure, and it is flagged by just 4 as malware...

    Something is weird with all the AV...
     
  15. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    1.That's why Big brand AVs didn't detect the harmless program
    2.I think good avs can intercept that behaviour after execution.
     
  16. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    I think the original poster's expericence illustrate the findings of av-comparatives and others. AV suites are not created equal in their ability to avoid false positives. That is just the way it is.

    This reminds me of a quote:

    "Truth is not a popularity contest."

    It doesn't matter how many people tell you something, if they are all wrong.
     
Loading...
Thread Status:
Not open for further replies.