Malicious or safe .dll

[Kathandra]

Hello!
About a year ago my computer had some issues and we installed app called HDSentinel to check storage and that its alright.
Those issues got fixed, but I never uninstalled that HDSentinel app.

Now fast forward to early december, my antivirus all of the sudden blocked some thing at temp folder that seemed to have something to do that HDSentinel app. At first I thought it must be a false positive, until I noticed something weird:

HDSentinel has a .dll file called storagetest.dll, it is about 13MB in size and signed by the developer and located at the folder of that program and is not flagged by any engine in virustotal.

My antivirus blocked a file called storagetest.dll, however, that file was 49MB in size, did NOT have valid signature, was located in temp folder and is flagged by 13 engines by virustotal as malicious.

Here is the virustotal link for the file: VirusTotal

When I uploaded it to virustotal, I was first who had uploaded that file. It was first flagged by 17 engines and I have analyzed it about every other day out of curiosity, and once in a while some engines have stopped seeing it as malicious, now only 13 engines does see it as malicious.

I contacted the app developer who said that he is very confident that its malicious and asked me to send it for him so he could inspect and see, but sadly I had got it deleted already so I could not do that.

Its been a while but I am still super curious about that file.

Interestingly the most "reputable" AV programs on virustotal still does not seem to detect anything wrong with it, and most of those detections are from AVs I had not heard before.

 

[Bot]

Hello!

It's understandable that you're curious about the suspicious file you encountered. Based on the information you provided, it does seem odd that the file in the temp folder was significantly larger than the original storagetest.dll file from HDSentinel. Additionally, the lack of a valid signature and the fact that it was flagged as malicious by multiple antivirus engines raises concerns.

While it's difficult to determine the exact nature of the file without having access to it, it's possible that the file you encountered in the temp folder was a modified or malicious version of the original storagetest.dll file. This could explain why it was flagged as malicious by several antivirus engines.

It's worth noting that antivirus engines use various techniques to detect and identify malware, including signature-based detection, behavior analysis, and heuristics. Different antivirus programs may have different detection capabilities and may prioritize different aspects of malware detection. This could explain why some antivirus engines on VirusTotal did not flag the file as malicious.

In situations like this, it's always a good idea to err on the side of caution. If your antivirus software flagged the file as malicious and you have no reason to believe otherwise, it's best to trust the antivirus detection and remove the file from your system. If you still have concerns, you can reach out to the antivirus vendor for further assistance or consider seeking help from a professional in the field of malware analysis.

Remember to keep your antivirus software up to date and regularly scan your system for any potential threats. It's also a good practice to regularly update your installed applications and operating system to ensure you have the latest security patches.

I hope this information helps! Let me know if you have any further questions.

 

[roger_m]

It's a false positive. As you noted, none of the more reputable antiviruses detect it. Most of the ones that do detect it and they are mainly the AI based ones, have big problems with false positives. It was first submitted to VT a month ago. If it was actually malicious, there has been more than enough time for more reputable antiviruses to add signatures for it.

 

[Berny]

@Kathandra

↓ The verdict with a Kaspersky scan is clean ↓

 

[Kathandra]

@Kathandra

↓ The verdict with a Kaspersky scan is clean ↓

View attachment 280826

Thank you for checking it out!!

Can I ask how were you able to get that file in order to scan it? Were you able to download it from virustotal?

I would love to get that file back somehow too, so I could send it to the developer as he had lot of interest on it and why it was so much bigger than the original 13MB file.

 

[Berny]

@Kathandra

You are welcome.

Please see the path on above screenshot, the DLL-file is located in the Hard Disk Sentinel application folder on my C: drive.

 

[Kathandra]

@Kathandra

You are welcome.

Please see the path on above screenshot, the DLL-file is located in the Hard Disk Sentinel application folder on my C: drive.

You are talking about totally different file, the file you are talking about is the legit file that is normal to have and part of the app.

It's a false positive. As you noted, none of the more reputable antiviruses detect it. Most of the ones that do detect it and they are mainly the AI based ones, have big problems with false positives. It was first submitted to VT a month ago. If it was actually malicious, there has been more than enough time for more reputable antiviruses to add signatures for it.

When I uploaded it to virustotal a month ago, did the reputable antiviruses also get a copy of the file, allowing them to inspect it and make the signatures?
Because I did not upload it directly to anyone else than virustotal.

 

[roger_m]

When I uploaded it to virustotal a month ago, did the reputable antiviruses also get a copy of the file, allowing them to inspect it and make the signatures?

Yes, VirusTotal shares uploaded files with antivirus vendors.

 

[struppigel]

Hi. I have got access to files on Virustotal. The original file is packed with UPX and the file you uploaded to VT got unpacked (e.g. via upx.exe -d). That it why it is bigger and the signer is not valid anymore. Nothing to worry, though.
It is still better to use the original one, though.

 

[struppigel]

I uploaded the file for you here: MalShare

 

[Kathandra]

Hi. I have got access to files on Virustotal. The original file is packed with UPX and the file you uploaded to VT got unpacked (e.g. via upx.exe -d). That it why it is bigger and the signer is not valid anymore. Nothing to worry, though.
It is still better to use the original one, though.

OMG, thank you so much!!!
I am so thankful for you, I dont even know what to say! So kind of you to spend time researching it and explaining it all out for me!
That explains it all and makes so much sense! Even after I heard that it was false positive, the virustotal flags kind of freaked me out as I did not understand why a file would get big like that in a first place and it made me little uncomfortable, but now it all makes sense. Thank you