Question How to judge a file is safe or not in Virustotal?

Please provide comments and solutions that are helpful to the author of this topic.

Can't Decide

Level 1
Thread author
Dec 15, 2023
35
I know this might be newbie question but how do I know or judge whether the file is safe or not?

Recently I uploaded Sandboxie-Plus 1.13.3 and PeaZip 9.7.1 setup installer to Virustotal, though both came out 0 detection but under "community" tab some sandbox:unsure: verdict indicate "likely malicious". And also for PeaZip 9.7.1, under "Relations" or "behavior" had some past detection. Because of that I'm confused about how to judge a file to be safe or not.

Better be safe than sorry since I don't know these issue had been solved or not Security News - GitHub besieged by millions of malicious repositories in ongoing attack

Furthermore, these can happen to other excutable files whether its downloaded from github or offical website. Can anyone give some advise?
 
F

ForgottenSeer 109138

Thank you for taking your time helping me, it really show more infomation. (y)

It's good that people with knowledge about the matter give advice than blindly follow some random online advice, even though some advice might be too advance for me but at the same time I learn something.

You are quite welcome. The habit you are developing to "verify" is a good habit that will carry you far in security. Asking when you can not find the answer is definitely one of those habits and how everyone learns.

Bottem line: you really know for 100% it is safe without running it in a real environment and monitor system and network behavior for at least an hour, so either you live with it or don't download and execute it ;)
This was misleading and worded in such a way that the user could have taken this advice and found themselves with an issue. It is why I responded the way I did, because no where do you state in this post that its in a contained lab and done by professional malware hunters. Its careless and irresponsible to respond with things as such to play word games.
 
Upvote 0

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
602
This was misleading and worded in such a way that the user could have taken this advice and found themselves with an issue.
The author of the 'misleading' quote corrected it already and apologized in this post:
 
Upvote 0
F

ForgottenSeer 109138

The author of the 'misleading' quote corrected it already and apologized in this post:
My post was not directed at the typo in bold so much as to point out that he left out some wording he later added then acted like I had no idea what I was talking about because of. Again, these type of posts like his pollute the learning experience for average users, that have to now wade through all this to find information that could be valuable or vital. The post he initially posted was misleading stating to just execute it on the system and find out, if the reader stopped reading at that point they wouldn't have seen his post later on stating to do it in a lab. It was a wording game, because this user likes to play games with others on threads, and its irresponsible and potentially damaging to average users here to learn.

Yes that is the standard practice and you have to wait for an hour (because some malware does not activate in VM and some malware uses a delay of 15 minutes to fool behavior blockers or have build in delays when they connect to C&CC's). Now she does not want to speak to you anymore (needing to explain why malware hunters use real encapsulated environments), sorry 😞 (again only being the messenger I have no idea what a C&CC or encapsulated environment is, for example)
 
Upvote 0

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
602
My post was not directed at the typo in bold so much as to point out that he left out some wording he later added then acted like I had no idea what I was talking about because of. Again, these type of posts like his pollute the learning experience for average users, that have to now wade through all this to find information that could be valuable or vital. The post he initially posted was misleading stating to just execute it on the system and find out, if the reader stopped reading at that point they wouldn't have seen his post later on stating to do it in a lab. It was a wording game, because this user likes to play games with others on threads, and its irresponsible and potentially damaging to average users here to learn.
I understand your concern about the security of the 'average' user, but in my eyes repeating the critisized quotes outside their original context - what you now did again - doesn't help. In earlier posts you've made already your point very clear. I think that even the 'average' user will have noticed this.
 
Last edited:
Upvote 0

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,628
I know this might be newbie question but how do I know or judge whether the file is safe or not?
I do not know about you, but I judge the file by myself. Like, what it is? A mod or a script to modify something? Who published it? How long has it been around?
To me Virustotal is a second opinion, but biased. Let say that Virustotal would report that a file is 99% malware, but it was published by Andy, I would still run it.
Sure, repositories can be hijacked, so maybe I would not run it immediately, but I would not be too worried about it, especially after reading verified comments.
 
Upvote 0

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
519
While I meticulously analyze all files in my clients' systems as a malware analyst and threat hunter, even with peer review, there's no foolproof detection. Even the most advanced techniques can miss cleverly disguised malware like supply chain attacks and encrypted code. However, the combination of human expertise and advanced technology offers the best chance of identifying such threats.
 
Upvote 0

Can't Decide

Level 1
Thread author
Dec 15, 2023
35
Maybe also take a look at Kaspersky Threat Intelligence Portal It's one engine (kaspersky) but the seem to do more advanced stuff then when listed on virus total alone.
The "Dynamic analysis summary" at the bottom in green, orange and red may also give some hints.
Thank you, I will take a look.

I do not know about you, but I judge the file by myself. Like, what it is? A mod or a script to modify something? Who published it? How long has it been around?
To me Virustotal is a second opinion, but biased. Let say that Virustotal would report that a file is 99% malware, but it was published by Andy, I would still run it.
Sure, repositories can be hijacked, so maybe I would not run it immediately, but I would not be too worried about it, especially after reading verified comments.
Where do you read verified comments?
 
Upvote 0
F

ForgottenSeer 109138

Where do you read verified comments?

This post has verified items in it with information of where and how. I apologize it was buried in all the useless posts and why I commented on this and the problem it presents. A clean thread with actual helpful information is certainly easier for the original posters to find what they need from it.

Post in thread 'How to judge a file is safe or not in Virustotal?' Question - How to judge a file is safe or not in Virustotal?
 
  • Like
Reactions: Can't Decide
Upvote 0

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top