Virustotal: 20/36 AV tells me its malware

I uploaded a file to virustotal.
The scan resulted in 20/36 (55.56%).
But, all the "big" av's did not detect anything bad, like nod32, kaspersky, bitdefender etc.
What shall I think about that file? Trojan or not? I am clueless. If so many detect it as a trojan dropper, why none of the "big" av did?

 

Hopefully this will be moved to the Other Av Forum where it will receive more attention.

 

link?

 

The fact that Big Brand av don't detect it means nothing. Reupload the file after the while, chose the option to rescan and see which avs detect it.

 

( newvirus@kaspersky.com <newvirus@kaspersky.com> )

Send the file here. Then you will get a reply.

They will probably send you a message within a few hours.

 

The filename is brander.exe.

Its a program which brand title, copyright, banner etc. of my products.
Its for the publisher of my products, so he can brand his software before giving it out.

It does nothing suspicious, it just modify some text and other data inside the exe of my products. Can such a behavior trigger such a false alarm?

 

Yes, I think modifying executables is considered a highly suspicious behavior.

If you trust that application and it's vendor keep using it, but as stated before, you can re-scan it in VirusTotal in a few days, and see if % of detection changes. If the "big" AV's start flagging it, there's something wrong, and you shoul consider sending a sample by e-mail reporting the FP.

 

Flagged by 8 of 20 scanner at jotti.
Flagged by AVG, Avast, ClamAV, CPSecure, F-Prot, Ikarus, Sophos, VirusBuster, but not by NOD32, Kaspersky, Bitdefender and other major AV.
I slowly lost my trust in AV's...
I know for sure its not malware, because I wrote it, in Delphi, and do nothing special in the code, just loading an exe, searching for text and replace text, and write the exe back.

 

I suggest you to report the FP.
And you can also consider forgetting about AV's and try other solutions such as HIPS or sandboxes.

 

Isn't that something any decent heuristics should detect as malware? I mean, what else is a typical virus, then a program that reads an EXE, adds/modifies a part of it and writes it back?



Cheers
Vlk

 

I don't think so. If it would use calls like WriteProcessMemory, than thats suspicious. A decent AV will analyse the functions, and thats why NOD32, Kaspersky and Bitdefender did not trigger any alert, just all the "cheaper" AV out there. I know, I could just ignore it, but many are using free AV's, and I get email after email that the brander is a virus, a trojan, and already a keygen.

 

I believe, most AV are screwed up a little...

The harmless program, which change text, is flagged as malware by 20 of 36 AV.

I just wrote a small program, which inject into notepad's process memory another code, and run it. THIS is virus behavior pure, and it is flagged by just 4 as malware...

Something is weird with all the AV...

 

1.That's why Big brand AVs didn't detect the harmless program
2.I think good avs can intercept that behaviour after execution.

 

I think the original poster's expericence illustrate the findings of av-comparatives and others. AV suites are not created equal in their ability to avoid false positives. That is just the way it is.

This reminds me of a quote:

"Truth is not a popularity contest."

It doesn't matter how many people tell you something, if they are all wrong.