VirusTotal: When is it a false positive, when is it new malware?

Carbonyl

New member
Power User
Local time
1:28 AM
Messages
76
Hi everyone. Perhaps this is a stupid question, but I'm rather curious if there is any way to confirm that something is a false positive when it comes to malware scans?

Recently I've become interested in running a rather old program that's being support out-of-cycle by user generated updates. The problem is that the user-created patches seem to set off a few antivirus flags for certain scanning engines. Uploading to VirusTotal gives a result of 3/43 positives. Now, that could be three false positives... but how do I separate that from new malware that other engines simply haven't identified yet?

Additionally worrisome is the fact that the user-generated content comes with instructions to add exceptions for the firewall and antivirus to "avoid problems". I'm not sure if this is a legitimate recommendation to circumvent conflicts, or if it's a clever way to convince people to infect their own systems.

Is there any way I can take a closer look at the suspicious file to see if it's safe or not? Obviously I've already tried VirusTotal, but I don't know where to go from here.
 

My Computer My Computer

At a glance

Windows 7 RTMi7 9206 GB PatrioteVGA GeForce 275 GTX
Computer Manufacturer/Model Number
Custom
OS
Windows 7 RTM
CPU
i7 920
Motherboard
eVGA x58 SLi
Memory
6 GB Patriot
Graphics Card(s)
eVGA GeForce 275 GTX
Sound Card
Soundblaster X-Fi Gamer
Monitor(s) Displays
Acer 225Tw
Hard Drives
WD 1 TB
PSU
Corsair 750 W
Case
Antec Twelve Hundred
Cooling
Stock
Hi,

Good question. You could try additional scanners like Jotti and ESET but I suspect you may get the same result.

Another option is to seek specific malware help from an expert. You could get in touch with Corinne or Jacee here on the forums and ask their recommendations : they may be able to pint you in the right direction.

Regards,
Golden
 

My Computer My Computer

At a glance

Windows 10 Pro x64 ; Xubuntu x64Intel i7 860 @ 2.80 GHz O/C'ed to 4.0GHz16GB Corsair Vengance DDR3 @ 661 MHz Dual Cha...EVGA NVidia GTX 560 1024MB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Golden Mk. I.4
OS
Windows 10 Pro x64 ; Xubuntu x64
CPU
Intel i7 860 @ 2.80 GHz O/C'ed to 4.0GHz
Motherboard
Gigabyte P55A-UD3R Rev.1. Award BIOS F13
Memory
16GB Corsair Vengance DDR3 @ 661 MHz Dual Channel (9-9-9-24)
Graphics Card(s)
EVGA NVidia GTX 560 1024MB
Sound Card
Realtek Integrated
Monitor(s) Displays
Dual Samsung SyncMaster 2494HS
Screen Resolution
1920*1080 and 1920*1080
Hard Drives
1*Samsung 840 EVO 120GB SSD;
1*OCZ Vertex 2 60GB SSD;
2*Samsung F3 SpinPoint 1TB in RAID0;
1*Samsung F1 SpinPoint 1TB;
2*Western Digital 1TB External USB 3.0
1*Western Digital 500GB External USB 3.0
1*Seagate 500GB External USB 2.0
PSU
Thermaltake ToughPower QFan 750W
Case
Thermaltake Element S VK60001W2Z
Cooling
Corsair H60 Water Cooling, 2*230mm and 2*80mm case fans
Keyboard
Logitech G110
Mouse
Logitech MX518
I would be wary of using un-quality-controlled patches that want to add exceptions for themselves in security software, looks like a ticket to hell. Home brewed code can also play havoc with the stability and security of the OS, unless extensively tested and debugged by the community. If this is some hobbyist thing, ask questions on the specific user forums.

If you absolutely need to run this thing, do it in a virtual/sandboxed environment or on a test machine. Otherwise you are much better off using standard software.
 

My Computer My Computer

At a glance

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
Computer Manufacturer/Model Number
Too many to describe...
OS
Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
Thanks very much for the input. I have tried Jotti's, and got much the same result as VirusTotal. ESET is my primary antivirus, as well as being contained in the VirusTotal results - ESET says the file is clean. I'd hate to bug experts on the forum over something so trivial, but I do admit to being curious as to what someone with more experience than I would say!

Bill, I agree with you completely with what you say. Sadly, there's no alternative for this particular program. It's well past the end of it's life cycle, so alternatives are null. Doing without it would be no crime, though, so if I can't verify it's safety I'll just not use it. Interestingly, I DID try running it in a Sandbox (Sandboxie, to be exact), but it came back with errors about files not being found - files which are clearly in the right locations. On the Sandboxie forums, tuzk said to use the latest beta, but I'm hesitant to install unsable betas.

Asking on the official user forums for this software is something I haven't done, but searching those forums reveals that the main user-developer said "Anyone with a disassembler, x86 assembler experience, and an afternoon could reverse engineer the DLLs added and verify there is nothing remotely malicious in them." Of course, this exceeds my experience, so I can't verify he's telling the truth.
 

My Computer My Computer

At a glance

Windows 7 RTMi7 9206 GB PatrioteVGA GeForce 275 GTX
Computer Manufacturer/Model Number
Custom
OS
Windows 7 RTM
CPU
i7 920
Motherboard
eVGA x58 SLi
Memory
6 GB Patriot
Graphics Card(s)
eVGA GeForce 275 GTX
Sound Card
Soundblaster X-Fi Gamer
Monitor(s) Displays
Acer 225Tw
Hard Drives
WD 1 TB
PSU
Corsair 750 W
Case
Antec Twelve Hundred
Cooling
Stock
Using Heuristics is one way cause it analyzes the behavior type of the malware. What is this program trying to do? Is it accessing parts of the computer that are very sensitive that it shouldn't need to be and so forth. Absolute software is said to be a false positive cause it is said to help locate a stolen laptop or computer, but I say it is a Trojan that is not necessary it is simply a program to once again invade privacy..So it kind of has to be your call do you trust it or not in most cases these days if like bill said above I would be wary of it...
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64I76 x 1.5V DDR3 DIMM sockets supporting up to 2...GeForce GTX 580
Computer Manufacturer/Model Number
Alienware
OS
Windows 7 Ultimate x64
CPU
I7
Motherboard
GA-X58-USB3
Memory
6 x 1.5V DDR3 DIMM sockets supporting up to 24 GB of system
Graphics Card(s)
GeForce GTX 580
Sound Card
Realtek ALC892 codec 2/4/5.1/7.1-channel
Monitor(s) Displays
NEC Display Solutions E321 Black 32"
Screen Resolution
1366 x 768
Hard Drives
OCZ Colossus LT Series OCZSSD2-1CLSLT1T 3.5" 1TB SATA II MLC Internal Solid State Drive
PSU
XFX Black Edition XPS-850W-BES 850W ATX12V
Case
Antec
Cooling
Zalman
Keyboard
Microsoft
Mouse
Microsoft
Back
Top