Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How many VirusTotal detections out of 56 is too risky?


  • Please log in to reply
3 replies to this topic

#1 Carpentry

Carpentry

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 03 February 2017 - 08:07 PM

I use VT in addition to my AV and Malware tools when I feel the need to be a bit more cautious. Sometimes i get a detection rate of 1-3/56 files and the information online usually lists the info as Generic_XYZ.
Usually the files are not marked by the other 50 something databases or by the more well known ones.
 
Today I uploaded a zip file that reported 5/56 on one of the files (seen below). This brought up the question I posted in the title.
AegisLab Troj.Dropper.Msil!c 20170203
Antiy-AVL Trojan[Exploit]/SWF.SWF.Generic 20170203
Avira (no cloud) TR/Dropper.MSIL.egkwn 20170203
Bkav [Microsoft Visual C++ 8] 20170203
DrWeb Exploit.SWF.991
 
In my case i probably just delete the folder since its only a game mod.
 
Should we err on the side of caution and not download anything that isn't a necessity, since even opening a browser to your homepage can be risk?
 
 
 
[Cant edit title: I was going to add Virustotal to clarify]

Edit: Title edited for you. ~ Animal

Edited by Animal, 03 February 2017 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:04:56 AM

Posted 03 February 2017 - 11:01 PM

I'd say with 5 detections you could still be in the false positive range. 2 of the 5 are marking it as a Trojan dropper, which is a file that makes a connection with a server and downloads the actual virus (if I'm not mistaken).
If I read your comment right, it's in a game mod folder. My guess is the game mod reaches out to a server for some kind of communication... Maybe, or maybe not. Since game mods aren't really well known pieces of software I'd say it's pretty easy for a scan to think it's malicious. But, it could very well be. If it was me I'd probably delete it and go on my way.

Not ever downloading anything that absolutely isn't necessary is a tad paranoid in my opinion. Just use some common sense. If the site seems sketchy don't click on it (web of trust is a good thing to use to help determine sites). Download only from well known and trustworthy sources. A bit of googling and you can probably find out if the site is good or not. Use ad blockers, and anything else to help secure your browser. You should be good to go.

Hope that helps some!

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,641 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 04 February 2017 - 06:48 AM

Can you post a link to the VT report? I'll have a look.

 

Game mods can trigger false positives, especially if they open the game process to make changes.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 05 February 2017 - 06:19 PM

Can you post a link to the VT report? I'll have a look.

 

Game mods can trigger false positives, especially if they open the game process to make changes.

 

I decided to walk away from it, but would still be interested in knowing.

Here is the link : https://virustotal.com/en/file/101cb308cff4aaaf0d13708318a3d42d500ffb592ea2d7c7fa7753d45cb1ed31/analysis/

Potentially useful info: it uses port 80 to connect to the internet.

 

 

Thanks!


Edited by Carpentry, 05 February 2017 - 06:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users