Serious Discussion Behavior vs Signature: which is the best strategy?

devjitdutta2025 · Feb 14, 2026

Ok

SeriousHoax said:
Blacklisted in ESET Cloud (Livegrid)
View attachment 295638

once again proved VT is not reliable.

Parkinsond · Feb 14, 2026

devjitdutta2025 said:
Ok

once again proved VT is not reliable.

Not exactly; when I was trying to check several samples using VT, ESET was ranked no.2 after K; cannot say with a single sample.

ForgottenSeer 123960 · Feb 14, 2026

If you scan a file and it comes up clean on VirusTotal but your local AV blocks it, it's usually for one of these reasons.

AI/Machine Learning
Your local AV noticed the file's behavior (e.g., trying to modify system registry keys) was suspicious, which a static scan can't see.

Generic/Cloud Detections
The vendor might have flagged the file in their private cloud but hasn't yet packaged that into a static signature sent to VirusTotal.

Specific Parameters
Some vendors intentionally make their VT engines "less aggressive" to avoid reporting false positives to the public.

The Golden Rule
VirusTotal is a tool for research and context, not a replacement for a real-time antivirus. A "clean" result on VT does not guarantee a file is safe.

Khushal · Feb 14, 2026

devjitdutta2025 said:
Ok

once again proved VT is not reliable.

it is just a sus object npt confirmed malicious

SeriousHoax · Feb 14, 2026

Khushal said:
it is just a sus object npt confirmed malicious

Anything blacklisted by Livegrid = Suspicious Object. That's the name they use for it, like UDS for Kaspersky's Cloud.
Looking at the behavior on VT, it seems that this sample is something that will be detected by a lot of AVs when the sample is run but I'm not sure of course, since it also seems to load a vulnerable driver. The relation tab shows two vulnerable drivers, one of which is detected by ESET only. The other one is also an old one but not detected by well-known AVs at this time.

SeriousHoax · Feb 14, 2026

SeriousHoax said:
Anything blacklisted by Livegrid = Suspicious Object. That's the name they use for it, like UDS for Kaspersky's Cloud.
Looking at the behavior on VT, it seems that this sample is something that will be detected by a lot of AVs when the sample is run but I'm not sure of course, since it also seems to load a vulnerable driver. The relation tab shows two vulnerable drivers, one of which is detected by ESET only. The other one is also an old one but not detected by well-known AVs at this time.

Search

Search

Serious Discussion Behavior vs Signature: which is the best strategy?

Do you prefer a solid static protection or a smarter behaviour blocker?

I prefer malware to be detected upon introduced, even with higher false positives rates

I prefer a weaker static analysis with fewer false positives, paired up with smart behaviour blocker

devjitdutta2025

Level 4

Parkinsond

Level 63

ForgottenSeer 123960

Khushal

Level 15

SeriousHoax

Level 56

SeriousHoax

Level 56

You may also like...