Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why is VirusTotal Giving Conflicting Results?


  • Please log in to reply
6 replies to this topic

#1 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:01:56 PM

Posted 21 June 2018 - 08:58 PM

If I scan the URL, http://turboccc.wikispaces.com/space/showimage/Extra_POI_Editor_Installer_v604_setup.exe

the result is that two engines, BitDefender & Dr. Web, flag it as malicious while all others come up clean.

 

If I download the file, and submit the resultant exe, it comes back 100% clean from all engines.

 

The same happens for:  http://turboccc.wikispaces.com/space/showimage/Extra+POI+Editor+V4.85+Help+File.zip

and its downloaded counterpart.

 

I understand that false positives can occur, but I've seldom seen them for the same files for their download URL versus the downloaded result.  

 

As an aside, both Firefox and Chrome even block the download, saying these two files are malicious.  MS-Edge does not.

 

And before anyone asks, I have not run or unzipped what I downloaded, respectively.  I wanted to get further input here before even thinking about doing so.

 

Windows Defender flags neither file at the end of the download process.

 

I realize that what I'm asking requires some speculation, but I'd rather have some educated speculation from some of our illustrious regulars here than a complete SWAG from myself.


Edited by britechguy, 21 June 2018 - 08:59 PM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:56 PM

Posted 22 June 2018 - 09:56 PM

This explanation may help.

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners...VirusTotal...a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect...Very often antivirus solutions and URL scanners will produce false positives...VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use off. False positives should be dealt with the developer/company that offers the product generating the erroneous detection.

  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/aggressiveness level than the official end-user default configuration.
About VirusTotal
VirusTotal FAQs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 25 June 2018 - 10:28 AM

I have a good idea why this is happening, but I'll check first with a friend over at VirusTotal before I write more.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:01:56 PM

Posted 25 June 2018 - 12:24 PM

I have a good idea why this is happening, but I'll check first with a friend over at VirusTotal before I write more.

 

Thank you.   I am really curious as to why this precise sort of thing would happen.   I get that false positives occur, but I would think it would be entirely irrelevant whether one was using a direct link to the download location of a file or a downloaded version of the file itself as far as the results returned.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 Replicator

Replicator

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:03:56 AM

Posted 26 June 2018 - 09:05 AM

It maybe that the URL is black flagged for totally unrelated incidents which dont involve the said file download.

 

It maybe unwanted noise from an AV as you say.

 

It may be even a poorly scripted URL string, or even application that some engines like......others dont!

 

Run it in a VM or Sandbox and find out!


The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#6 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:01:56 PM

Posted 26 June 2018 - 09:13 AM

I'm really not worried about the software itself, as when the actual downloaded files scan clean from every scanner I can find, including VirusTotal, I feel more than reasonably safe.

 

My questions arise more from interest in the "under the hood" workings of VirusTotal (and/or the way certain virus scanners handle URLs versus the things at the end of those URLs) than from concern about whether the software is safe.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#7 Replicator

Replicator

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:03:56 AM

Posted 26 June 2018 - 09:24 AM

Yep, good point......each AV handles server responses differently based on URL strings and header body i guess.

 

We would have to explore the source code of each application to find conclusive evidence!


Edited by Replicator, 26 June 2018 - 09:25 AM.

The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users