- Jul 3, 2015
- 8,153
If I check a file on Virus Total, and it comes out clean, how do I know that this is not just because it is a new virus?
How to use Virus Total effectively?
- Thread starter shmu26
- Start date
- Jun 21, 2014
- 1,044
You don't know, you need to use some type of sandbox. Also, more and more viruses are signed.
- Aug 6, 2014
- 1,044
True, the only way to find out is to run them in a sandbox, or even more devious, in a Virtual Machine.
But of course only downloading files from trusted sources might prevend you from the need to do all of this.
But of course only downloading files from trusted sources might prevend you from the need to do all of this.
VirusTotal offers a free scan service based on the opinion of many AVs.
If the file, according to VT, is clean there are two possibilities: the file is actually clean, or the file is FUD and then fully undetected.
The best thing is to upload the suspect file to an online malware analysis service like Malwr or Hybrid Analysis to perform a behavioral dynamic analysis and then read the results according to a certain level of knowledge.
https://malwr.com
https://www.hybrid-analysis.com
And here:
https://malwaretips.com/threads/some-tips-to-identify-malicious-samples-during-the-analysis.56983/
If the file, according to VT, is clean there are two possibilities: the file is actually clean, or the file is FUD and then fully undetected.
The best thing is to upload the suspect file to an online malware analysis service like Malwr or Hybrid Analysis to perform a behavioral dynamic analysis and then read the results according to a certain level of knowledge.
https://malwr.com
https://www.hybrid-analysis.com
And here:
https://malwaretips.com/threads/some-tips-to-identify-malicious-samples-during-the-analysis.56983/
Last edited by a moderator:
- Jul 3, 2015
- 8,153
I still don't understand how the sandbox helps you. If you run it in sandbox, and your antivirus kills it, then you would have been safe anyway. And if your antivirus doesn't kill it, you will think it is clean, and run it even outside of the sandbox, next time, You can't live in a sandbox forever.
- Jul 3, 2015
- 8,153
my own admittedly unprofessional approach is to see if I can find someone writing about the file on the web. If it already has a write-up, it can't be too new, and VT should know whether it is clean or not.
edit: but you still have to check whether the file is in the right location, or it might be malware named after a legitimate file.
For instance, if Adobe released a new patch that has file X, and this file turns up in your Adobe folder, it is probably legit.
edit: but you still have to check whether the file is in the right location, or it might be malware named after a legitimate file.
For instance, if Adobe released a new patch that has file X, and this file turns up in your Adobe folder, it is probably legit.
Last edited:
VirusToral is really great, but I would also additionally go with an behavioral file analysis service like @Klipsh suggested. But keep the fact in mind that malware can deploy anti-virtualization features, you can be never 100% sure.
- Mar 15, 2011
- 13,070
Virustotal relies on signatures and generic detection so many virus contains polymorphic code that makes it bypass.
- Apr 28, 2015
- 8,659
Similar threads
