blackice

Level 12
Verified
I'm curious what other people's approach is when they hit on potential FPs on something like Virustotal or Hybrid_Analysis? When you check a file from a trusted source such as Steve Gibson's site for DNS Bench and get something like the following screenshot, what do you do? I know a lot of people just say FP all day, but I've always been more prudent. It seems there is usefulness to VT and H_A, but these ML and heuristic detection engines do seem to flag even base Microsoft .exes a lot (looking at you onedrive and processexplorer). In this situation none of the big vendors flagged the file, or the ones that did cleared it over time, but it does always leave a seed of doubt when there's more than one or two FPs. How paranoid are you?

VT Detections.PNG
 
Last edited:

Protomartyr

Level 1
Whenever I find a file that has some detections on VirtusTotal or Hybrid Analysis, I will only run it if:
  • It comes from a trusted source. I check the properties of the file to see the digital signatures / author.
  • There is an MD5/SHA1/SHA-256 hash available to verify the download.
 

blackice

Level 12
Verified
I avoid anything that isn't signed and like you guys, I throw it at VirusTotal to see what it spits out.
Interestingly in this case he has an EV certificate. It's definitely a trusted source, Hybrid_Analysis has no love for it though: rated 100% malicious, probably could ask for it to be whitelisted. But how many people really even check these things. Maybe not worth the developer's time? I tend to read what the analysis sites spit out to see what's being labeled as malicious.
 

plat1098

Level 10
Verified
Well, this is interesting, this is from the same source as the InSpectre utility for Meltdown/Spectre mitigations. I have InSpectre, so for a lark, here is result:

jottiinspectre.PNG

So, like it was stated, small software run higher risks for "detections" like that. It then is a judgement call. DNS Benchmark has one detection via Jotti from Fortinet--named Win32 ZBot. So, maybe it wouldn't be a bad idea to make an inquiry to Fortinet. By the way, if you have InSpectre and recently applied the enablement KB for 1909, maybe you can run it. I did, both Meltdown and Spectre mitigations were disabled. :emoji_grimacing: Thanks, blackice!
 

blackice

Level 12
Verified
Well, this is interesting, this is from the same source as the InSpectre utility for Meltdown/Spectre mitigations. I have InSpectre, so for a lark, here is result:


So, like it was stated, small software run higher risks for "detections" like that. It then is a judgement call. DNS Benchmark has one detection via Jotti from Fortinet--named Win32 ZBot. So, maybe it wouldn't be a bad idea to make an inquiry to Fortinet. By the way, if you have InSpectre and recently applied the enablement KB for 1909, maybe you can run it. I did, both Meltdown and Spectre mitigations were disabled. :emoji_grimacing: Thanks, blackice!
That’s the same tag it gave to DNS bench. I’m pretty sure his tools just throw some flags. Inspectre got one hit on VT when I got curious about the same thing. If they were malicious there’d be a lot of infected people since that tool was pretty widely promoted.
 
Last edited:

show-Zi

Level 20
Verified
Minor online software distributed by individuals often does not have a certificate, so it is reliably detected
. When I install software like this, I'm going to check the reputation of the people who use it.
You can trust the Michelin-recommended restaurant information, but the small restaurant information you heard at the street corner is also useful.