Question How to judge a file is safe or not in Virustotal?

[Can't Decide]

I know this might be newbie question but how do I know or judge whether the file is safe or not?

Recently I uploaded Sandboxie-Plus 1.13.3 and PeaZip 9.7.1 setup installer to Virustotal, though both came out 0 detection but under "community" tab some sandbox verdict indicate "likely malicious". And also for PeaZip 9.7.1, under "Relations" or "behavior" had some past detection. Because of that I'm confused about how to judge a file to be safe or not.

Better be safe than sorry since I don't know these issue had been solved or not Security News - GitHub besieged by millions of malicious repositories in ongoing attack

Furthermore, these can happen to other excutable files whether its downloaded from github or offical website. Can anyone give some advise?

 

[Bot]

A file is generally safe if it has 0 detections on VirusTotal. The "community" tab reflects users' opinions, which can be subjective. Past detections under "Relations" or "Behavior" might be false positives or resolved issues. Always download from official/trusted sources, keep your antivirus up-to-date, and if in doubt, research the file online. For more specific advice, consider consulting with a cybersecurity expert.

 

[Practical Response]

Very good advice from bot. Generally was stated because there is a very slight chance a threat is so new it has no signatures yet.

As for the findings, depending on how the application is designed and interacts with the operating system it's "methods" can mimic malicious actions. Basically tools that can be used for good or bad can trigger this.

If unsure after running through VT, you can always upload to a more thorough analysis where "unknowns" are analyzed on a deeper level that will give you a verdict of malicious intent. Sites like Free Automated Malware Analysis Service - powered by Falcon Sandbox

 

[Wrecker4923]

Adding to what the bot says, a file that has been around for a while is even likelier to be safe. In the VT's details tab, you can see the line, first submission or first seen in the wild date. I am not sure how long you should wait for the "strike period" to have passed, but maybe the supply-chain attack on 3CX might give some numbers ( VirusTotal ) : exe signed: 2023-03-03, AV reportedly started flagging ( The 3CX attack was targeted — but the plan was broader ) and file submitted to VT: 2023-03-22 (which were taken by many as false positive), and then definitively reported and widely flagged as compromised: 2023-03-29.

I personally think it feels safer if VT gives a total clear. It's usually the ones that have flags that never go away that are tough. 3CX's flag was believed to be false positive because it had always been flagged one way or another. Legitimate Tor is commonly tagged as suspicious. Some recommended OS software, like Picocrypt, can't seem to get rid of the flags. I think it is this kind that easier to fall into.

 

[LennyFox]

I followed @Bot's advice and consulted a cyber security expert, her (yes her) answer (as a rule of thumb)

• more than 5 engines flagging a file as a virus, 99% probability it is malware
• zero engines flagging a file: 99% probability it is safe

Bottem line: you really know for 100% it is safe without running it in a real environment and monitor system and network behavior for at least an hour, so either you live with it or don't download and execute it

 

[Practical Response]

[*]more than 5 engines flagging a file as a virus, 99% probability it is malware

This depends on the engines flagging it and their rate of false positives.

[*]zero engines flagging a file: 99% probability it is safe

What is the expert basing this percentage on, as brand new malware will not have signatures made until discovery. Damaging tools that can be used for good or bad can also be rated as "clean".

Its a mixture of uploading and research to determine, and further analysis in a more robust solution like hybrid analysis if need be.

 

[LennyFox]

@Practical Response
I asked a security expert, normally I would introduce you to each other because I am just the messenger, but since you are a level 4 MT member and I know nothing about you I am hesitating to link you together. Maybe some MT-members with a level of above 80 could endorse you?

EDIT: I happened to meet her and she said you (@Practical Response ) are missing the point she is making, because I made a typo (put in bold)

Bottem line: you really DON'T know for 100% it is safe without running it in a real environment and monitor system and network behavior for at least an hour,
so either you live with it (and TAKE THE RISK) or (BETTER) don't download and execute it (APPLY SAFE HEX)

Aplogize, my bad

 

[Practical Response]

I asked a security expert, normally I would introduce you to each other because I am just the messenger, but since you are a level 4 MT member and I know nothing about you I am hesitating to link you together. Maybe some MT-members with a level of above 80 could endorse you?

Thanks for the laugh, almost made me spit my coffee out.

EDIT: I happened to meet her and she said you (@Practical Response ) are missing the point she is making, because I made a typo (put in bold)

Aplogize, my bad

Run it in a normal environment, why didnt I think of that, I would know for sure if it was infection then correct?

 

[LennyFox]

Thanks for the laugh, almost made me spit my coffee out.



Run it in a normal environment, why didnt I think of that, I would know for sure if it was infection then correct?

Yes that is the standard practice and you have to wait for an hour (because some malware does not activate in VM and some malware uses a delay of 15 minutes to fool behavior blockers or have build in delays when they connect to C&CC's). Now she does not want to speak to you anymore (needing to explain why malware hunters use real encapsulated environments), sorry (again only being the messenger I have no idea what a C&CC or encapsulated environment is, for example)

 

[Practical Response]

Yes that is the standard practice and you have to wait for an hour (because some malware does not activate in VM and some malware uses a delay of 15 minutes to fool behavior blockers or have build in delays when they connect to C&CC's). Now she does not want to speak to you anymore (needing to explain why malware hunters use real encapsulated environments), sorry (again only being the messenger I have no idea what a C&CC or encapsulated environment is, for example)

So let me get this straight, its standard procedure to just execute something on your live machine and just let it run to see if its malicious or not? Are you serious right now? Nothing like misleading users with bogus crap for whatever reason. Certainly not responsible to set something loose on a live environment, network, or even server just to see what it does.

Sure some malware are sandbox aware and will not run. Yes samples can be delayed or communicate with a command and control to drop the actual payload. Does not mean the file can not be analyzed in a safe environment with indicators. Im not sure what kind of "expert" you are talking too, but they are making no sense what so ever.

I hope and pray that any average users out there do not read this thread that is now being riddled with nonsense and get derailed into misleading information.

 

[LennyFox]

So let me get this straight, its standard procedure to just execute something on your live machine and just let it run to see if its malicious or not? Are you serious right now? Nothing like misleading users with bogus crap for whatever reason. Certainly not responsible to set something loose on a live environment, network, or even server just to see what it does.

That is not what I have been told nor what I have posted. I posted that it is standard practice for MALWARE HUNTERS (not average users) to run malware in a real encapsulated environment. I posted that I did not know what an encapsulated environment was. Reading your response, you also don't seem to know what it means, Therefore I asked her what an encapsulated environment was.

She told me that it is a safe stand alone environment (never connected to local network or any other device) with all sorts of software running on it to analyse it with a filtered connection to the internet (meaning web traffic is also captured and analysed).

Anyway I am not going to bother my acquintance again with your responses, since you seem to get angry when you are missing the point and I want to keep discussions friendly over here.

 

[Practical Response]

That is not what I have been told nor what I have posted. I posted that it is standard practice for MALWARE HUNTERS (not average users) to run malware in a real encapsulated environment. I posted that I did not know what an encapsulated environment was. Reading your response, you also don't seem to know what it means, Therefore I asked her what an encapsulated environment was.

She told me that it is a safe stand alone environment (never connected to local network or any other device) with all sorts of software running on it to analyse it with a filtered connection to the internet (meaning web traffic is also captured and analysed).

Anyway I am not going to bother my acquintance again with your responses, since you seem to get angry when you are missing the point and I want to keep discussions friendly over here.

Look Max, this post was started by an average user that has no idea how to set up a containment testing lab in their home.

These tips were in place to help the user determine and make well informed choices.

Your addition of malware hunters doing this in one had no bearing on the convo and the way you worded things should be done.

You and all the other game playing, word twisters are doing nothing but misleading users with your nonsense. Why it's allowed here is beyond me it is the very essence of unprofessionalism.

 

[LennyFox]

Mad max has done it again

 

[Practical Response]

Mad max has done it again

What have you done again besides ruin a learning opportunity for average users to learn by. Your proud of this?

No wonder all other sites think this one is a joke, because of users like you that make it that way.

 

[LennyFox]

??? who is max

 

[Practical Response]

??? who is max

@BoraMurdar care to explain to him who he is?

 

[LennyFox]

@BoraMurdar care to explain to him who he is?

you mean this one?

 

[Practical Response]

I know this might be newbie question but how do I know or judge whether the file is safe or not?

Recently I uploaded Sandboxie-Plus 1.13.3 and PeaZip 9.7.1 setup installer to Virustotal, though both came out 0 detection but under "community" tab some sandbox verdict indicate "likely malicious". And also for PeaZip 9.7.1, under "Relations" or "behavior" had some past detection. Because of that I'm confused about how to judge a file to be safe or not.

Better be safe than sorry since I don't know these issue had been solved or not Security News - GitHub besieged by millions of malicious repositories in ongoing attack

Furthermore, these can happen to other excutable files whether its downloaded from github or offical website. Can anyone give some advise?

You have a legitimate question for which as I stated above in all this now confusing thread, is that once you have come to this impasse, taking it a step further will help you determine.

I downloaded both directly from the GitHub and sandboxies page and its the same file. I ran it through VT and found the same thing you did. So I then uploaded it to hybrid analysis of which it was determined malicious only because one antivirus engine flagged it, if you look at the info I gathered from the analysis you will quickly see it is a false positive. Nothing to worry about these things happen and its good to question it to make sure.

 

[Can't Decide]

@Bot, thanks for the good advice.

Very good advice from bot. Generally was stated because there is a very slight chance a threat is so new it has no signatures yet.

As for the findings, depending on how the application is designed and interacts with the operating system it's "methods" can mimic malicious actions. Basically tools that can be used for good or bad can trigger this.

If unsure after running through VT, you can always upload to a more thorough analysis where "unknowns" are analyzed on a deeper level that will give you a verdict of malicious intent. Sites like Free Automated Malware Analysis Service - powered by Falcon Sandbox

Oh, I didn't know there are other sites that provide free(without account) analysis where "unknowns" are analyzed on a deeper level that will give you a verdict of malicious intent. Thank you for providing the site. It's good to have multiple analysis opinion just to make sure it safe.

Bottem line: you really know for 100% it is safe without running it in a real environment and monitor system and network behavior for at least an hour, so either you live with it or don't download and execute it

I not really sure what program to use for monitor system and network behavior but I know some program (e.g ProcessMonitor and ProcessExplorer) that can monitor the system but ProcessMonitor and ProcessExplorer need connection to use, do those log stored locally or will send some to M$?

You have a legitimate question for which as I stated above in all this now confusing thread, is that once you have come to this impasse, taking it a step further will help you determine.

I downloaded both directly from the GitHub and sandboxies page and its the same file. I ran it through VT and found the same thing you did. So I then uploaded it to hybrid analysis of which it was determined malicious only because one antivirus engine flagged it, if you look at the info I gathered from the analysis you will quickly see it is a false positive. Nothing to worry about these things happen and its good to question it to make sure.

View attachment 282748

View attachment 282749

View attachment 282750

View attachment 282751

View attachment 282752

View attachment 282753

Thank you for taking your time helping me, it really show more infomation.


It's good that people with knowledge about the matter give advice than blindly follow some random online advice, even though some advice might be too advance for me but at the same time I learn something.

 

[Freki123]

Oh, I didn't know there are other sites that provide free(without account) analysis where "unknowns" are analyzed on a deeper level that will give you a verdict of malicious intent. Thank you for providing the site. It's good to have multiple analysis opinion just to make sure it safe.

Maybe also take a look at Kaspersky Threat Intelligence Portal It's one engine (kaspersky) but the seem to do more advanced stuff then when listed on virus total alone.
The "Dynamic analysis summary" at the bottom in green, orange and red may also give some hints.