Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: VirusTotal getting annoying cause of FPs

03 Nov 2014   #1
Tookeri

Windows 7 Pro 32
 
 
VirusTotal getting annoying cause of FPs

I use sigcheck from Sysinternals to once a month or so check all executable images in system32\drivers and system32 on VirusTotal. Usually there's only a few false positives, mostly from AegisLab and sometimes from ByteHero. I don't know these two engines but from what I've seen so far, I'm not impressed. Anyone knows these two?

This time I got A LOT of FPs from these two, mostly from AegisLab. Almost all files belong to the Windows OS. Sigcheck opens a browser window for every detection and I guess there were like 50-100 files detected. Luckily I was watching my PC so I could close the windows, otherwise my PC probably had crashed.
I have a VirusTotal uploader tool(PhrozenSoft's) but I prefer sigcheck as it's usually not that many FPs.
Here's an example of nslookup.exe a file that hasn't been modified in almost 2 years:
https://www.virustotal.com/en/file/4...is/1415019677/

Question: Does anybody know a way to use VirusTotal but to have it ignore detections only by some engines?
If not, I'm thinking of creating a program that can do this because these FPs by AegisLab are getting ridiculous. The program would still use sigcheck but write detections to a log instead of opening a browser, and then use the log to get each report from VT, parse the result and exclude AegisLab, then show the result.

Interesting fact: I compared engines on VirusTotal and HerdProtect and even though HerdProtect has more engines they haven't included AegisLab. I wonder why


My System SpecsSystem Spec
.
03 Nov 2014   #2
oneeyed

Windows 8
 
 

Apart from specifying no reports -v instead of -vr in the command-line I don't think you can do that directly.

I don't use Sigcheck that way myself, I added the Hash function to Explorer's context-menu via registry and I use it on specific files (mainly installers).

I've thought about creating a small program like you, but I think you're better off building a database of hashes on all system files, and then on schedule only check the files that have changed on virustotal. It would greatly decrease the number of files/hashes sent and therefore FPs if that's a problem.
My System SpecsSystem Spec
03 Nov 2014   #3
Tookeri

Windows 7 Pro 32
 
 

That's another idea, thanks! I'll think about it and compare pros and cons.

About checking mainly installers, check out this Tutorial: VirusTotal + HerdProtect - Check Files with Simultaneously
It checks both VirusTotal(sigcheck) and HerdProtect. There's no tool that I know of that can check individual files on Herdprotect, so this batch file will get the SHA1 for the file(s), build the URL for it to Herdprotects Knowledge base, download the page source and parse it. It turned out really nice, a batch file that creates and executes a VBscript
It doesn't submit unknowns to VT but you can just modify the code if you want that.
My System SpecsSystem Spec
.

03 Nov 2014   #4
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Have you considered trying OpSwat MetaScan instead of VirusTotal? Perhaps worth a look?

https://www.metascan-online.com

Have a close look at the public apps and API's....
https://www.metascan-online.com/en/apps
My System SpecsSystem Spec
03 Nov 2014   #5
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
SigCheckGUI

I wonder if you've tried this?

http://www.sevenforums.com/software/...-uploader.html

I'll run a check on system32 - system32/drivers and see if I get the same issues.

Edit: Forget that - it doesn't want to scan system32/drivers even if sys is added to the list of extensions!
My System SpecsSystem Spec
03 Nov 2014   #6
Tookeri

Windows 7 Pro 32
 
 

Thanks for the suggestions guys!

I'll have a look at Metascan, but is it as frequently used as VT? I don't know, but one of best things with sigcheck and VT is that it almost never have to submit any files because someone else has already done it, including recently updates files. Checking thousands of files only takes a few minutes.

Haven't tried SigCheckGUI. Anyway, the problem with any VT tool I think is that it only shows the detection rate. To see which AV's detected something you have to open the report for each file. Example:
VirusTotal getting annoying cause of FPs-vtex.png


My System SpecsSystem Spec
03 Nov 2014   #7
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Report for each file

It's the same with SigCheckGUI - it shows the scores but you have to click each link to get a report on each file.
My System SpecsSystem Spec
03 Nov 2014   #8
Tookeri

Windows 7 Pro 32
 
 

Then at least you understand my problem Maybe it's just me that's paranoid enough to scan system32 and drivers. If you would too you'll see that AegisLab makes reading the result very difficult when you check thousands of files and many are wrongly detected. I could of course simply ignore all files with only 1 detection and make sigcheck not open reports. But it just feels wrong to do that because one AV isn't doing its job properly. And I hope that VT doesn't keep adding more questionable AV's so that we end up with 200 or so in ten years
My System SpecsSystem Spec
03 Nov 2014   #9
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
VirusTotal results

I always ignore anything flagged up unless there's multiple detections or I double check using other scanners.

I like this one but it only scans running processes/ drivers against common AV's:

System Explorer Scan Results - report just finished.
My System SpecsSystem Spec
03 Nov 2014   #10
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
SigCheck System32 Drivers

Sigcheck scan finished. All zero scores on VirusTotal and along with a few unknown (to VirusTotal) drivers.

Report attached.

output.txt

You're right - it's a pain having to check each link.


My System SpecsSystem Spec
Reply

 VirusTotal getting annoying cause of FPs




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
AdwCleaner bad VirusTotal result 4/55
AdwCleaner has been recommended from several quarters. I have downloaded "adwcleaner_3.308.exe" from the author ... https://toolslib.net/downloads/viewdownload/1-adwcleaner/ But scans by VirusTotal and Metascan return negative results VirusTotal - fresh scan 31-Aug-2014...
System Security
VirusTotal Uploader
VirusTotal Uploader VirusTotal Uploader (VTup) adds an Explorer context menu that allows you to right click on a file detected as suspicious by any malware scanner or Anti-Virus (AV) application and send it to VirusTotal (VT) for further analysis. . 1. Read the VTup online documentation. ...
Tutorials
VirusTotal: When is it a false positive, when is it new malware?
Hi everyone. Perhaps this is a stupid question, but I'm rather curious if there is any way to confirm that something is a false positive when it comes to malware scans? Recently I've become interested in running a rather old program that's being support out-of-cycle by user generated updates....
System Security
VTzilla - The VirusTotal addon for Firefox
VirusTotal - Free Online Virus, Malware and URL Scanner - Browser Addons
Browsers & Mail
VTzilla-VirusTotal Firefox plugin
A really handy security addon.... read here in browser addons...VTzilla d/l from here P.S. it overlaps browser & security both...so posted here instead of browser section:p
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:35.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App