Your original browser questions - I don't know how to exclude scan engines from VT but I certainly didn't see any browser window opening but then there were no detections!
I guess the answer is to drop the -r switch and output to text file.
Oh, maybe drivers were clean and all FP's were in system32. That's probably how it was, hard to remember when browser windows were popping up all the time. I spent more time closing them than actually read their contentWell, I can only say that having each report opened in a browser is a terrible idea if there are many FP's.
If you want you can just check nslookup.exe and wscript.exe in system32. There were so many so I can't remember them all
Browser reports are only opened when you use parameter -vr for sigcheck.exe Don't know if the GUI app has similar functionality.
I did a re-check, you're correct, they're clean now! Well, at least nice to see that AegisLab could fix their FPs quickly. I'm sure they got massive reports when they started detecting lots of files wrongly.
I still don't like these questionable AVs and can't understand why VirusTotal would include them in the first place
Never heard of them before using VT either but I think they are experimental or outliers. Maybe they even use overly aggressive heuristics by default which usually isn't the case in other AVs. They "might" pick up things that regular AVs miss. Of course you'll get more FPs this way too.
This might be bad, or rather inconvenient, for end-users but for the other AVs, it's a great way to get warned of any new malware that bypassed their cautious engines. After all, they don't participate in VT for charity, they do get benefits from it too.
There was a recent article on how malware creators use VT to check what they build, and when they get a "safe" on all major AVs, they start distributing them. So including very aggressive AVs on VT is a good way to make sure everyone get alerted fast when that happens.
Source : A Google Site Meant to Protect You Is Helping Hackers Attack You | WIREDThere was no definitive pattern to the kinds of changes that reduced the detection rate. Although all of the samples Dixon tracked got detected by one or more antivirus engine, those with low detection rates were often found only by the more obscure engines that are not in popular use.
Last edited by oneeyed; 03 Nov 2014 at 18:12.
Yes that's true. I think I've read somewhere that when an AV detects something on VT it's reported to all other AVs as well, but maybe that was what you meant.
I noticed something interesting, the version info. If that's the version of the AV software it might reveal the ones that haven't been available that long.
Interesting you mentioned that article. When I first heard about it I thought can't VT keep track of these files that are only slightly modified and rescanned several times? I mean they do it until the file is clean. Rescanning a file that previously had detections and suddenly is clean, maybe even without updated definitions from all AVs. They can't track with hashes of course but there must be other ways to track the content.
This is funny: (from that same article)
"They made it particularly easy to track their code in the wild because even the emails and attachments they used in their phishing campaigns got tested on VirusTotal. More surprising, they even uploaded files they’d stolen from victims’s machines. Dixon found calendar documents and attachments taken from some of the group’s Tibetan victims uploaded to VirusTotal. He thinks, ironically, that the hackers may have been testing the files to see if they were infected before opening them on their own machines."
@Tookeri
Yes the article had funny parts. If you imagined all these hackers were pros/geniuses with a deep understanding of computers/security, then it's a letdown.
From what I gathered in the article, most of these groups don't create anything new, they just modify already existing malware until they can bypass AV checks.
Quote
