Advice Request Virus Total did not flag malicious

Please provide comments and solutions that are helpful to the author of this topic.


Level 5
Thread author
Jan 13, 2019
I uploaded a zip file on VirusTotal. 13 security vendors flagged the file as malicious, whereas major AVs went "Undetected".

So would you trust major AVs and ignore the warnings from other vendors? BUT if we were to trust those other 13 vendors, then why did not major AVs detect anything?

Here is the VT link: VirusTotal

Last edited by a moderator:
  • Like
Reactions: Stopspying

Zero Knowledge

Level 20
Top Poster
Content Creator
Dec 2, 2016
I would imagine detection goes MOTW/download URL/Creation time & date of file > machine learning > artificial intelligence > heuristics > signature/blacklist (similar) hash detection.

Google and Fortinet make sense because they suck in a lot of data from their web monitoring business and would have petabytes of data on malicious .zip/exe/msi files downloaded/hosted from the web and would be able to identify similar malicious software quickly. The other AV's/AM I'm not so sure, maybe they have not encountered a similar .zip in their cloud component of their software or web monitoring isn't their strong point.


Level 6
Nov 21, 2022
I would imagine detection goes MOTW/download URL/Creation time & date of file > machine learning > artificial intelligence > heuristics > signature/blacklist (similar) hash detection.
the scan engines on virus total are modified command line versions of the scan engines, they do not perform behavioral analysis and files uploaded to virus total are not transferred for analysis to the regular vendor cloud\backend used in their desktop products


Staff Member
Apr 9, 2020
This program uses a bootloader by Thinstall. When I search on Virustotal for applications with the same bootloader they all have 12+ detections. So the bootloader is likely the detected component.

Although Thinstall is a legitimate program, it seems to have been abused for malware and cracking which often leads to automatic detection of the bootloader and injection component (I exclude manual signature creation here because a human would know this to be legitimate and would more likely use concrete detection names). The major vendors either have better FP protection in place or are more likely to be contacted by the Thinstall company if false positives occur, which would explain why they don't have a detection on the Thinstall bootloader.

I find it noteworthy that there is a Yara match on Heaven's Gate code which is normally not used by legitimate applications.


The original setup of this application is signed: VirusTotal
Whereas the files contained in this archive are not signed. That is unusual. If the vendor of the program already have a signing process in place, they would use it on detected files to prevent the detections. Might be because this is an older version or because it was modified. However, the version numbers are not far apart: Newest version is 5.1.1. and the one you have there is

I see two possibilities here (you don't need to tell me which one it is):
  1. The actual vendor used Thinstall to create a portable application and this is an old version that was not signed yet. They do not fix detections by contacting vendors because it is an old version.
  2. This is a cracked version of the program that uses the bootloader to circumvent the protection and licensing system. Such programs are treated as "don't care" by antivirus vendors. A discussion about legitimacy of cracked programs is not allowed here on MalwareTips.
In case 1 you need to use the updated version. In case 2 you better not use it.
So actually in both cases you better don't use the exact program you linked here.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.