What's your approach with potential FPs?

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I'm curious what other people's approach is when they hit on potential FPs on something like Virustotal or Hybrid_Analysis? When you check a file from a trusted source such as Steve Gibson's site for DNS Bench and get something like the following screenshot, what do you do? I know a lot of people just say FP all day, but I've always been more prudent. It seems there is usefulness to VT and H_A, but these ML and heuristic detection engines do seem to flag even base Microsoft .exes a lot (looking at you onedrive and processexplorer). In this situation none of the big vendors flagged the file, or the ones that did cleared it over time, but it does always leave a seed of doubt when there's more than one or two FPs. How paranoid are you?

VT Detections.PNG
 
Last edited:

Protomartyr

Level 7
Sep 23, 2019
314
Whenever I find a file that has some detections on VirtusTotal or Hybrid Analysis, I will only run it if:
  • It comes from a trusted source. I check the properties of the file to see the digital signatures / author.
  • There is an MD5/SHA1/SHA-256 hash available to verify the download.
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I avoid anything that isn't signed and like you guys, I throw it at VirusTotal to see what it spits out.
Interestingly in this case he has an EV certificate. It's definitely a trusted source, Hybrid_Analysis has no love for it though: rated 100% malicious, probably could ask for it to be whitelisted. But how many people really even check these things. Maybe not worth the developer's time? I tend to read what the analysis sites spit out to see what's being labeled as malicious.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Well, this is interesting, this is from the same source as the InSpectre utility for Meltdown/Spectre mitigations. I have InSpectre, so for a lark, here is result:

jottiinspectre.PNG

So, like it was stated, small software run higher risks for "detections" like that. It then is a judgement call. DNS Benchmark has one detection via Jotti from Fortinet--named Win32 ZBot. So, maybe it wouldn't be a bad idea to make an inquiry to Fortinet. By the way, if you have InSpectre and recently applied the enablement KB for 1909, maybe you can run it. I did, both Meltdown and Spectre mitigations were disabled. :emoji_grimacing: Thanks, blackice!
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Well, this is interesting, this is from the same source as the InSpectre utility for Meltdown/Spectre mitigations. I have InSpectre, so for a lark, here is result:


So, like it was stated, small software run higher risks for "detections" like that. It then is a judgement call. DNS Benchmark has one detection via Jotti from Fortinet--named Win32 ZBot. So, maybe it wouldn't be a bad idea to make an inquiry to Fortinet. By the way, if you have InSpectre and recently applied the enablement KB for 1909, maybe you can run it. I did, both Meltdown and Spectre mitigations were disabled. :emoji_grimacing: Thanks, blackice!
That’s the same tag it gave to DNS bench. I’m pretty sure his tools just throw some flags. Inspectre got one hit on VT when I got curious about the same thing. If they were malicious there’d be a lot of infected people since that tool was pretty widely promoted.
 
Last edited:

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
Minor online software distributed by individuals often does not have a certificate, so it is reliably detected
. When I install software like this, I'm going to check the reputation of the people who use it.
You can trust the Michelin-recommended restaurant information, but the small restaurant information you heard at the street corner is also useful.
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Mostly it is detected as being Process Hacker and classified as a PUP or hacking tool. In these cases, it's not a false positive. However I would say that for the average user, they will often assume that anything that is detected by AV software is malicious.
Agreed on both points!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top