Make your video test requests!

Attachments

  • Screenshot_20260619-195648_(1).png
    Screenshot_20260619-195648_(1).png
    99.5 KB · Views: 48
Not a request to test, but a request to give feedback on the heuritics checks and false positive reduction filter

Hi Shadowra,

Since you have tested so many security programs, I would like to ask help for improving download sentinel.
The latest download.zip is on GitHub - Kees1958/DownloadSentinel: A Chrome extension which warns users when a risky download is initiated (version 1.3) the chromestore is still on 1.2 Download Sentinel - Chrome Web Store

When you have additional heuristics idea's please provide feedback, currently V 1.3 checks

Heuristics Checks
  • Quad9 DNS - checks if the domain is on Quad9's blocklist of confirmed malicious domains
  • RDAP domain age - new domains (< 30 days) get a penalty; very new (< 2 days) get a higher penalty
  • HTTP - flags downloads from insecure HTTP domains
  • Suspicious domain list - checks against an internal list of domains known for hosting malware or risky content (e.g. Discord CDN)
  • Suspicious TLD - flags high-risk top-level domains commonly abused by malware (e.g. .xyz, .top, .tk, .buzz)
  • Risky hosting platform - flags known file sharing / paste sites used to distribute malware
  • File size - flags downloads which exceed 650 MB (often neglected by AV's
  • Mime type - when mime type is filled (not generic), it flags inconsistency with file type
  • Sketchy downloads - see below
URL Pattern Checks (SketchyUrlCheck)
  • IP address as host — flags downloads directly from an IP address instead of a domain
  • Punycode / homograph — detects internationalized domain names (xn--) used to spoof legitimate brands
  • Excessive subdomains — flags URLs with many subdomain levels (e.g. a.b.c.d.evil.com)
  • Brand impersonation — checks if known brand names (Microsoft, PayPal, Google, etc.) appear in the wrong part of the URL, combined with lookalike character substitution (e.g Micros0ft or P@yP@l or Goog1e).

VirusTotal URL Reputation
  • Looks up the download URL against VT's database of 90+ security engines
  • Reports engine counts: not harmful / unknown / suspicious / malicious
  • Applies FP reduction filter (HIGH/MEDIUM/LOW) to remove noisy engines
  • ABC consensus bonus rewards strong clean consensus across many engines
  • Age penalty for URLs submitted less than 7 days ago
  • Longevity bonus for URLs known to VT for 30+ days

File Type the on download trigger fires
  • Blocks executables: .exe, .com, .bat, .cmd, .msi, .dll, .hta, .scr, .vbs, .ps1, etc.
  • Blocks archives: .zip, .rar, .7z, .tar.gz, etc.
  • Also catches executables MIME types
Because you tested many AV's I would like to use your insights in the current False Positive reduction filter (to reduce FP's on VT)
DownloadSentinel/DownloadSentinel_FP_Engines.xlsx at main · Kees1958/DownloadSentinel

1782717718765.png


P.S. @Trident
When your free extension checking URL's is ready which does not need a local windows executable, I would be happy to use a free version API when VT returns an unknown (to limit API-calls). When I add the requirement to request a free TRIDENT-API-KEY at your website for that fallback check, I can help (although just a little) with link building and generating traffic to your website (and feed your AI-model with download links unknown to VT).

:-) It is a win-win, think about it.
 
Last edited:
They have just released a new version. It is very buggy and has a terrible looking UI, that looks nothing like the possibly AI generated screenshots on their website. It's always had terrible detection rates, just like Protegent which is also developed by MSecure, despite using stolen signatures from Malwarebytes and others.

Screenshot 2026-07-13 130817.png

The screenshot on their website, looks nice though.

ngav-dashboard.png
 
They have just released a new version. It is very buggy and has a terrible looking UI, that looks nothing like the possibly AI generated screenshots on their website. It's always had terrible detection rates, just like Protegent which is also developed by MSecure, despite using stolen signatures from Malwarebytes and others.

View attachment 298776

The screenshot on their website, looks nice though.

View attachment 298775
Up till now they're still using MB definitions? Iobit was caught stealing MB signatures a while back. Im wondering why can't MB protect their work+
 
Up till now they're still using MB definitions? Iobit was caught stealing MB signatures a while back. Im wondering why can't MB protect their work+
I don't know if they still are, but I presume so. I have reported it to Malwarebytes more than once. Many years ago I was told that other vendors were stealing their signatures because they were unecrypted.