VirusTotal getting annoying cause of FPs

Page 1 of 3 123 LastLast

  1. Tookeri
    Posts : 1,049
    Windows 7 Pro 32
       New #1

    VirusTotal getting annoying cause of FPs


    I use sigcheck from Sysinternals to once a month or so check all executable images in system32\drivers and system32 on VirusTotal. Usually there's only a few false positives, mostly from AegisLab and sometimes from ByteHero. I don't know these two engines but from what I've seen so far, I'm not impressed. Anyone knows these two?

    This time I got A LOT of FPs from these two, mostly from AegisLab. Almost all files belong to the Windows OS. Sigcheck opens a browser window for every detection and I guess there were like 50-100 files detected. Luckily I was watching my PC so I could close the windows, otherwise my PC probably had crashed.
    I have a VirusTotal uploader tool(PhrozenSoft's) but I prefer sigcheck as it's usually not that many FPs.
    Here's an example of nslookup.exe a file that hasn't been modified in almost 2 years:
    https://www.virustotal.com/en/file/4...is/1415019677/

    Question: Does anybody know a way to use VirusTotal but to have it ignore detections only by some engines?
    If not, I'm thinking of creating a program that can do this because these FPs by AegisLab are getting ridiculous. The program would still use sigcheck but write detections to a log instead of opening a browser, and then use the log to get each report from VT, parse the result and exclude AegisLab, then show the result.

    Interesting fact: I compared engines on VirusTotal and HerdProtect and even though HerdProtect has more engines they haven't included AegisLab. I wonder why
      My Computer
    Quote Quote

  3. oneeyed
    Posts : 92
    Windows 8
       New #2

    Apart from specifying no reports -v instead of -vr in the command-line I don't think you can do that directly.

    I don't use Sigcheck that way myself, I added the Hash function to Explorer's context-menu via registry and I use it on specific files (mainly installers).

    I've thought about creating a small program like you, but I think you're better off building a database of hashes on all system files, and then on schedule only check the files that have changed on virustotal. It would greatly decrease the number of files/hashes sent and therefore FPs if that's a problem.
      My Computer
    Quote Quote

  4. Tookeri
    Posts : 1,049
    Windows 7 Pro 32
    Thread Starter
       New #3

    That's another idea, thanks! I'll think about it and compare pros and cons.

    About checking mainly installers, check out this Tutorial: VirusTotal + HerdProtect - Check Files with Simultaneously
    It checks both VirusTotal(sigcheck) and HerdProtect. There's no tool that I know of that can check individual files on Herdprotect, so this batch file will get the SHA1 for the file(s), build the URL for it to Herdprotects Knowledge base, download the page source and parse it. It turned out really nice, a batch file that creates and executes a VBscript :)
    It doesn't submit unknowns to VT but you can just modify the code if you want that.
      My Computer
    Quote Quote

  6. Golden
    Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       New #4

    Have you considered trying OpSwat MetaScan instead of VirusTotal? Perhaps worth a look?

    https://www.metascan-online.com

    Have a close look at the public apps and API's....
    https://www.metascan-online.com/en/apps
      My Computer
    Quote Quote

  7. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       New #5

    SigCheckGUI


    I wonder if you've tried this?

    https://www.sevenforums.com/software/...-uploader.html

    I'll run a check on system32 - system32/drivers and see if I get the same issues.

    Edit: Forget that - it doesn't want to scan system32/drivers even if sys is added to the list of extensions!
    Last edited by Callender; 03 Nov 2014 at 14:51. Reason: add info
      My Computer
    Quote Quote

  8. Tookeri
    Posts : 1,049
    Windows 7 Pro 32
    Thread Starter
       New #6

    Thanks for the suggestions guys!

    I'll have a look at Metascan, but is it as frequently used as VT? I don't know, but one of best things with sigcheck and VT is that it almost never have to submit any files because someone else has already done it, including recently updates files. Checking thousands of files only takes a few minutes.

    Haven't tried SigCheckGUI. Anyway, the problem with any VT tool I think is that it only shows the detection rate. To see which AV's detected something you have to open the report for each file. Example:
    VirusTotal getting annoying cause of FPs-vtex.png
      My Computer
    Quote Quote

  10. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       New #7

    Report for each file


    It's the same with SigCheckGUI - it shows the scores but you have to click each link to get a report on each file.
      My Computer
    Quote Quote

  11. Tookeri
    Posts : 1,049
    Windows 7 Pro 32
    Thread Starter
       New #8

    Then at least you understand my problem Maybe it's just me that's paranoid enough to scan system32 and drivers. If you would too you'll see that AegisLab makes reading the result very difficult when you check thousands of files and many are wrongly detected. I could of course simply ignore all files with only 1 detection and make sigcheck not open reports. But it just feels wrong to do that because one AV isn't doing its job properly. And I hope that VT doesn't keep adding more questionable AV's so that we end up with 200 or so in ten years
      My Computer
    Quote Quote

  12. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       New #9

    VirusTotal results


    I always ignore anything flagged up unless there's multiple detections or I double check using other scanners.

    I like this one but it only scans running processes/ drivers against common AV's:

    System Explorer Scan Results - report just finished.
      My Computer
    Quote Quote

  13. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       New #10

    SigCheck System32 Drivers


    Sigcheck scan finished. All zero scores on VirusTotal and along with a few unknown (to VirusTotal) drivers.

    Report attached.

    output.txt

    You're right - it's a pain having to check each link.
      My Computer
    Quote Quote

 
Page 1 of 3 123 LastLast

  Related Discussions
AdwCleaner has been recommended from several quarters. I have downloaded "adwcleaner_3.308.exe" from the author ... https://toolslib.net/downloads/viewdownload/1-adwcleaner/ But scans by VirusTotal and Metascan return negative results VirusTotal - fresh scan 31-Aug-2014...
VirusTotal Uploader
in Tutorials

326350 VirusTotal Uploader VirusTotal Uploader (VTup) adds an Explorer context menu that allows you to right click on a file detected as suspicious by any malware scanner or Anti-Virus (AV) application and send it to VirusTotal (VT) for further analysis. .326351 1. Read the VTup online...
VirusTotal - Free Online Virus, Malware and URL Scanner - Browser Addons
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 15:28.
Find Us