Malware Analysis Is this installer legit?

Malleable

Level 1
Mar 2, 2021
45
So i was installing drivers for my xtrfy m4 mouse, uploaded new file to virustotal and got results 11/71

is this installer legit? I dont want to run it as im not sure about it..


Source: – Xtrfy > Mouse > m4
The VirusTotal rule of thumb, as I've read from people I deem knowledgeable, is 2 - 3 positives isn't very meaningful. More than that beware. Personally, if I see a couple of positives I check back in a week or so and often false positives are cleaned up to 1 remaining or none. Sometimes I've checked back after a day or two and seen the positives increase and keep increasing day by day. Some of the virus engines are very aggressive and the same AV names often seem to keep popping up in the 2 - 3 positives range as the initial detectors then within days sort out their false positives.
 
Last edited:

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
So i was installing drivers for my xtrfy m4 mouse, uploaded new file to virustotal and got results 11/71

is this installer legit? I dont want to run it as im not sure about it..


Source: – Xtrfy > Mouse > m4

The file is clean. You can open it in DnSpyEx to see what it is doing.

But I do see why machine learning and signature automation think it is malicious. There is one class inside called FontIcons that stores integer values for all kinds of icons and so you get strings like facebook, bitcoin, key, keyboard, master_card, google_wallet, dropbox, creditcard, paypal ... in a binary that is supposed to contain only a mouse driver, which is weird without context. Machines do not know the context where these strings are used and jump to conclusions here.

icons.png
 

Moonhorse

Level 37
Thread author
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
The file is clean.

But I do see why machine learning and signature automation think it is malicious. There is one class inside called FontIcons that stores integer values for all kinds of icons and so you get strings like facebook, bitcoin, key, keyboard, master_card, google_wallet, dropbox, creditcard, paypal ... in a binary that is supposed to contain only a mouse driver, which is weird without context. Machines do not know the context where these strings are used and jump to conclusions here.

View attachment 272141
Thank you so much! Love you and this community...all i could have done myself is just to contact the avs ( malwarebytes & norton in this case)

Better safe than sorry i guess (y)
 

Malleable

Level 1
Mar 2, 2021
45
Returning to this, VirusTotal to me is a somewhat slow process. As others in the past have reported it may not always be the best indicator but I see it as another tool in the box. Looking at it a week later nothing has changed and it still shows the same 11 antivirus engines flagging this file. Based on my experiences with VirusTotal those are probably false positives, their AI or whatever is what it is, and the drivers may not have generated enough reports to warrant a correction from the 11 AV vendors. In addition the AV engines submitted to VirusTotal aren't always at the same settings as the home or business versions. Within days or even hours (even minutes) the big boys, BitDefender Theta, Kapersky, Forntinet, Avast/Avira, ClamAV, etc would have flagged it too. So, basically, in only 67,200% more time, I've reached the same conclusion as struppigel.

struppigel

 

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,321
Based on the Virustotal results you shared, there are some antivirus engines that have flagged the driver installer as potentially malicious. However, it's important to note that such results are not always definitive and can sometimes result from false positives.

That being said, if you have any doubts, it's always better to err on the side of caution and avoid running any installer that you are not sure about. Instead, you can try reaching out to the manufacturer's support team or the community forums to confirm the authenticity of the driver installer.

Alternatively, you can also look for other sources to download the driver installer from, preferably from trusted and reputable sources to avoid any potential risks.
 

Malleable

Level 1
Mar 2, 2021
45
TLDR: I personally would have installed the driver.

I've checked back on VirusTotal weekly just to calibrate my thinking from a couple of years ago. Yesterday VT had the file as 12/70 positives from 11/70. I didn't screenshot the original results so I guess it's most likely a newcomer with their antennae set to err on the side of caution. While some big boys (IMO) like Malwarebytes, Palo Alto Networks, Symantec, Fortinet, and Google flagged the file the other better known engines haven't. VT to me has always been an interpretive process sometimes taking minutes - hours for more engines to flag a file or filter their false positives and sometimes days (usually no more than one or two). This isn't a common dl likely with less people reporting a false positive so to me a week long wait was overkill but at that point I personally would have installed the driver.
One VT option I never noticed is the middle of the three icons at the top right, the circular arrow, reanalyzes the file to update the results.
 
  • Like
Reactions: Moonhorse and Jack

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,629
I've checked back on VirusTotal weekly just to calibrate my thinking from a couple of years ago. Yesterday VT had the file as 12/70 positives from 11/70. I didn't screenshot the original results so I guess it's most likely a newcomer with their antennae set to err on the side of caution. While some big boys (IMO) like Malwarebytes, Palo Alto Networks, Symantec, Fortinet, and Google flagged the file the other better known engines haven't. VT to me has always been an interpretive process sometimes taking minutes - hours for more engines to flag a file or filter their false positives and sometimes days (usually no more than one or two). This isn't a common dl likely with less people reporting a false positive so to me a week long wait was overkill but at that point I personally would have installed the driver.
One VT option I never noticed is the middle of the three icons at the top right, the circular arrow, reanalyzes the file to update the results.
In this case a malware analyst well-known for his knowledge and skills on exe files has analysed the installer and concluded it is safe. Vendors will correct their false positives if someone is bringing it to their attention. Usually it is best that developers from their corporate emails contact these vendors to get the software whitelisted and avoid this from happening in the future.

Have you contacted the driver issuer in regards to this problem?
 

Malleable

Level 1
Mar 2, 2021
45
In this case a malware analyst well-known for his knowledge and skills on exe files has analysed the installer and concluded it is safe. Vendors will correct their false positives if someone is bringing it to their attention. Usually it is best that developers from their corporate emails contact these vendors to get the software whitelisted and avoid this from happening in the future.

Have you contacted the driver issuer in regards to this problem?
It's not my driver. Just an IMO on what I've found worked for me regarding VT as a second opinion av tool. With the propogation of behavior-based malware detection it appears false positives are just an unfortunate by-product that are what they are and vendors have adopted a que será será attitude and may be putting less effort into correcting them. Gone are the days of 2 - 3 false positives quickly corrected. I've adjusted my thinking accordingly.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,629
It's not my driver.
Understood. But the time that you have taken to crate few posts here is actually more than it will take you to report to the driver provider. Just a personal opinion 😀

VirusTotal is not useful as a second opinion scanner, unless when you have either Eset and Bitdefender (their signatures tend to be very accurate) or all vendors (something similar to 50/70) detect something. Many of the engines that you mentioned like Symantec with their Static Data Scanner, Google and some others are purely heuristic/machine learning engines and as such, they are prone to errors. Detections on VirusTotal may be different than the one produced in home products - sometimes nothing may be shown on VT but detected by the actual products, in other cases it may the other way around.

Vendors do correct false positives but it will need to be reported either to each one of them, or to the software publisher. The amount of files and data these vendors deal with is sheer, so some reports may be treated more urgently than others.
 
Last edited:
  • +Reputation
  • Like
Reactions: roger_m and ng4ever

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
It's not recommended to make an actual end assessment from VTs ( VirusTotal ) scan/detection page alone. That's very inconclusive. " Can't see the forest for the trees " is sadly too common. VT is much more versatile and capable.

Here's a great video guide on VT ( created 2020 ) from member @struppigel that hopefully can help. (y)

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top