6 months ago
I am going to share some tips to help you know if a Virus Total detection may or may not be a false positive.
Obviously this is not 100% certain as there are many virus writers who leave their Trojans or other malware undetectable, but it can be a good start when in doubt.
Always before the slightest doubt, install the program detected as malware in a VM or Windows Sandbox and monitor its behaviour.
If you know some other ways other than these mentioned one, do share in posts below.
Here are the tips:
1) You got it from the official site, it's not impossible but unlikely to be bad
2) The antivirus that detects it is not one of the well-known ones, and it's the only one
3) Combine low detection rate with the age of the file (First Submission Time in the Details tab in VirusTotal): If it's a few months old, it's most likely clean. Old malware doesn't stay on low detection rates for that long.
4) Check the hash values of our download, we can go to the website of the developer of the program for which we have the installer and look for the MD5, SHA-1, SHA-256 code, etc. of its original installer. Once we have the two codes available, that of our downloaded file and that of the installer or software from the developer's official website, we can compare both and see if they match and our file is reliable or not.
5) Check if the file is signed and if that sign is valid. You also see that in the VirusTotal Details tab. Things like adware and unwanted programs can also be signed. But if you trust the company or organization that signed it, the file is most likely clean.
Example of a false positive:VirusTotal
How do I know that this detection is a false positive?
I have followed the advice shared above and I can assure you with high probability of certainty that it is a false positive because:
1) I am a beta tester for this company and have downloaded the file from a secure developer site.
2) AV that detects an adware is an unknown antivirus and it's the only one, does anyone know Jiangmen? The truth is the first time I see that AV.
3) The detection date and the file is new because it is a file that is in development, in this case the date is not useful.
4) I have compared the hashing algorithms of the downloaded file and they match those published by the developer on their website.
5) The file is signed, the signatures are valid and one of the signatures corresponds to that of the developer for which I am sure it is a legitimate file.
Some Other Tips:
1. The name itself. Often we will see a mix of the words, Something-Generic-something, Gen-something, PUA (Possible Unwanted, Application), Hacktool-xxx, Malicious-xxxx, Gen_Trojan, RiskTool, and in general not a specific virus name. The above can also be seen in variations like PUS (software) or PUF (file). The reason those names often pop is because of either the heuristic function, which essentially tries to guess if a part of code inside a program is a virus, based on some known code patterns or because after some time the medicine that is included along with programs get detected as a virus by the AV to scare/warn people.
2. We won't see the same virus name repeat on several antivirus engines concurrently and consistently. Some a/v will show one name, and, some others will show a different. If it was indeed a known virus, most AV will show the same name or the same sub variation.
As an example, look at the screen below and you will see exactly what I described above. Generic names (hacktool, Generic, malicious, etc) and each engine give its own name. You can understand how fake some programs and results are just by looking at the name. W32.AIDetectVM... AI as in Artificial Intelligence which is simply a catchphrase used from marketing to impress.
Needless to say, no matter what, attention to detail and caution must be exercised always. Remember to scan the "medicine" as well as the main app. Don't be afraid to ask if you are not sure but don't wear the tinfoil hats either.
Obviously this is not 100% certain as there are many virus writers who leave their Trojans or other malware undetectable, but it can be a good start when in doubt.
Always before the slightest doubt, install the program detected as malware in a VM or Windows Sandbox and monitor its behaviour.
If you know some other ways other than these mentioned one, do share in posts below.
Here are the tips:
1) You got it from the official site, it's not impossible but unlikely to be bad
2) The antivirus that detects it is not one of the well-known ones, and it's the only one
3) Combine low detection rate with the age of the file (First Submission Time in the Details tab in VirusTotal): If it's a few months old, it's most likely clean. Old malware doesn't stay on low detection rates for that long.
4) Check the hash values of our download, we can go to the website of the developer of the program for which we have the installer and look for the MD5, SHA-1, SHA-256 code, etc. of its original installer. Once we have the two codes available, that of our downloaded file and that of the installer or software from the developer's official website, we can compare both and see if they match and our file is reliable or not.
5) Check if the file is signed and if that sign is valid. You also see that in the VirusTotal Details tab. Things like adware and unwanted programs can also be signed. But if you trust the company or organization that signed it, the file is most likely clean.
Example of a false positive:VirusTotal
How do I know that this detection is a false positive?
I have followed the advice shared above and I can assure you with high probability of certainty that it is a false positive because:
1) I am a beta tester for this company and have downloaded the file from a secure developer site.
2) AV that detects an adware is an unknown antivirus and it's the only one, does anyone know Jiangmen? The truth is the first time I see that AV.
3) The detection date and the file is new because it is a file that is in development, in this case the date is not useful.
4) I have compared the hashing algorithms of the downloaded file and they match those published by the developer on their website.
5) The file is signed, the signatures are valid and one of the signatures corresponds to that of the developer for which I am sure it is a legitimate file.
Some Other Tips:
1. The name itself. Often we will see a mix of the words, Something-Generic-something, Gen-something, PUA (Possible Unwanted, Application), Hacktool-xxx, Malicious-xxxx, Gen_Trojan, RiskTool, and in general not a specific virus name. The above can also be seen in variations like PUS (software) or PUF (file). The reason those names often pop is because of either the heuristic function, which essentially tries to guess if a part of code inside a program is a virus, based on some known code patterns or because after some time the medicine that is included along with programs get detected as a virus by the AV to scare/warn people.
2. We won't see the same virus name repeat on several antivirus engines concurrently and consistently. Some a/v will show one name, and, some others will show a different. If it was indeed a known virus, most AV will show the same name or the same sub variation.
As an example, look at the screen below and you will see exactly what I described above. Generic names (hacktool, Generic, malicious, etc) and each engine give its own name. You can understand how fake some programs and results are just by looking at the name. W32.AIDetectVM... AI as in Artificial Intelligence which is simply a catchphrase used from marketing to impress.
Needless to say, no matter what, attention to detail and caution must be exercised always. Remember to scan the "medicine" as well as the main app. Don't be afraid to ask if you are not sure but don't wear the tinfoil hats either.