Q&A Trying to analyze a game exe file claimed to be false positive

fatihmtlm

New Member
Thread author
Mar 4, 2022
3
Hi, first I would like to mention I know near to nothing about malware analysis. I just wanted to play a discontinued old game on a private server but keep my PC secure at the same time.

I first checked files with Bitdefender, it shows a clear result. Then I wanted to check at least the exe file with VirusTotal and it showed 3 malicious flags. I also checked the file with Intezer Analyze, it also flagged it as malicious. I asked to discord server of the game, they claimed it is a false positive. I tried to find a sandbox program but saw you guys don't recommend it. I also learned I should check the first time in VT. It seems old but doesn't know what to do with that info. Today, the number of flags are increased to 5 but still no companies like Kaspersky or BitDefender. I saw a little menu in VT> behavior and check things like zenbox, virustotal observer, etc and saw registry actions like :
  • HKEY_CURRENT_USER\Software\Wine
  • HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option (this also occurs on legit programs)
These are suspicious, aren't they? I want to learn some basic things about security to use in the future. Is this false positive? What things to look for false positive? what if this came out clean but a file I wouldn't consider scanning was infected? I've already downloaded it, is it a problem? Thank you and forgive me if I am writing in the wrong forum.

hash : 2896a701817b3d0d42f94f75078a098a87bc795c8a676aaecb82088c5a55f5b3
VirusTotal
1646409122629.png


1646408954220.png
 
Last edited by a moderator:
  • Like
Reactions: oldschool

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
776
I don’t see anything too suspicious there. Writing to a software hive seems fine, and the second key is an ACPI check for the model of your computer (games sometimes do that).

The fact that it’s an old game and has an expired certificate is likely making all the analysis tools treat it as unsigned and hence tipping towards more suspicious. Most of the VT engines marking it as suspicious are either pure AI engines or a sandbox analyzer. At least that means that zero malware analysts have marked your sample suspicious, which is a good sign.
 

fatihmtlm

New Member
Thread author
Mar 4, 2022
3
I don’t see anything too suspicious there. Writing to a software hive seems fine, and the second key is an ACPI check for the model of your computer (games sometimes do that).

The fact that it’s an old game and has an expired certificate is likely making all the analysis tools treat it as unsigned and hence tipping towards more suspicious. Most of the VT engines marking it as suspicious are either pure AI engines or a sandbox analyzer. At least that means that zero malware analysts have marked your sample suspicious, which is a good sign.
So, should I give it a go?
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
776
So, should I give it a go?
I mean, I can't guarantee it is safe, but what you're describing doesn't sound harmful so far.

I think you're starting to see how VirusTotal can be both good and bad, especially with engines that mostly train themselves on VirusTotal, all it takes is one to flag a false positive before others start following suit.

There was a controversy a while back where I believe Kaspersky would falsely flag things as malware on their VirusTotal engine to sabotage competitors, and it worked.
 

fatihmtlm

New Member
Thread author
Mar 4, 2022
3
I mean, I can't guarantee it is safe, but what you're describing doesn't sound harmful so far.

I think you're starting to see how VirusTotal can be both good and bad, especially with engines that mostly train themselves on VirusTotal, all it takes is one to flag a false positive before others start following suit.

There was a controversy a while back where I believe Kaspersky would falsely flag things as malware on their VirusTotal engine to sabotage competitors, and it worked.
Oh, I wasn't aware of that. I think I will be checking submission dates to see if it's old and vendors with flags if they are ML or sandbox along with the story of the file so I can get an idea if it's likely or less likely a harmful file. Do you think it is a good habit?
I got ransomware 10-15 years ago and luckily got rid of it with Malwarebytes. I am using Kaspersky free and BitDefender free on my computers nowadays. I don't want any malware again but I don't want to restrict myself too much on the internet too. I might end up trying to learn how to analyze and stuff at the end of the day :D
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
776
Oh, I wasn't aware of that. I think I will be checking submission dates to see if it's old and vendors with flags if they are ML or sandbox along with the story of the file so I can get an idea if it's likely or less likely a harmful file. Do you think it is a good habit?
I got ransomware 10-15 years ago and luckily got rid of it with Malwarebytes. I am using Kaspersky free and BitDefender free on my computers nowadays. I don't want any malware again but I don't want to restrict myself too much on the internet too. I might end up trying to learn how to analyze and stuff at the end of the day :D
It’s not a bad habit, just a few things to keep in mind:
  • As I mentioned, some of the beta/research AI engines have a lot of false positives
  • Most engines have their cloud component turned off, which means they’ll have poor detections. In particular, Microsoft Defender and Avira products (including F-Secure) are more likely to falsely say Clean when the actual product would have detected something via the cloud
  • Security researchers with special VT accounts can download samples that you upload. So don’t upload anything assuming that it’s private

I would pay attention to the Kaspersky and ESET results. Those are two of the best static scanners out there and the chances of malware getting past them is very slim.
 
Last edited: