- May 29, 2018
The VirusTotal rule of thumb, as I've read from people I deem knowledgeable, is 2 - 3 positives isn't very meaningful. More than that beware. Personally, if I see a couple of positives I check back in a week or so and often false positives are cleaned up to 1 remaining or none. Sometimes I've checked back after a day or two and seen the positives increase and keep increasing day by day. Some of the virus engines are very aggressive and the same AV names often seem to keep popping up in the 2 - 3 positives range as the initial detectors then within days sort out their false positives.
Thank you so much! Love you and this community...all i could have done myself is just to contact the avs ( malwarebytes & norton in this case)The file is clean.
But I do see why machine learning and signature automation think it is malicious. There is one class inside called FontIcons that stores integer values for all kinds of icons and so you get strings like facebook, bitcoin, key, keyboard, master_card, google_wallet, dropbox, creditcard, paypal ... in a binary that is supposed to contain only a mouse driver, which is weird without context. Machines do not know the context where these strings are used and jump to conclusions here.
View attachment 272141
In this case a malware analyst well-known for his knowledge and skills on exe files has analysed the installer and concluded it is safe. Vendors will correct their false positives if someone is bringing it to their attention. Usually it is best that developers from their corporate emails contact these vendors to get the software whitelisted and avoid this from happening in the future.I've checked back on VirusTotal weekly just to calibrate my thinking from a couple of years ago. Yesterday VT had the file as 12/70 positives from 11/70. I didn't screenshot the original results so I guess it's most likely a newcomer with their antennae set to err on the side of caution. While some big boys (IMO) like Malwarebytes, Palo Alto Networks, Symantec, Fortinet, and Google flagged the file the other better known engines haven't. VT to me has always been an interpretive process sometimes taking minutes - hours for more engines to flag a file or filter their false positives and sometimes days (usually no more than one or two). This isn't a common dl likely with less people reporting a false positive so to me a week long wait was overkill but at that point I personally would have installed the driver.
One VT option I never noticed is the middle of the three icons at the top right, the circular arrow, reanalyzes the file to update the results.
It's not my driver. Just an IMO on what I've found worked for me regarding VT as a second opinion av tool. With the propogation of behavior-based malware detection it appears false positives are just an unfortunate by-product that are what they are and vendors have adopted a que será será attitude and may be putting less effort into correcting them. Gone are the days of 2 - 3 false positives quickly corrected. I've adjusted my thinking accordingly.In this case a malware analyst well-known for his knowledge and skills on exe files has analysed the installer and concluded it is safe. Vendors will correct their false positives if someone is bringing it to their attention. Usually it is best that developers from their corporate emails contact these vendors to get the software whitelisted and avoid this from happening in the future.
Have you contacted the driver issuer in regards to this problem?
Understood. But the time that you have taken to crate few posts here is actually more than it will take you to report to the driver provider. Just a personal opinionIt's not my driver.