When VTotal gives you FP results days after a new release. Making the call

S

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
I use a password manager that recently released a new version (the old one was crashing and causing issues). I have 150+ logins in there (or I'd wait). VirusTotal gives me a 3/56 result. Since the vendors aren't major ones, I assume it is perfectly fine to disregard the 3/56 result and assume the file is clean? It was downloaded from the official site.

Results
Antivirus scan for d38f552d4e1e57ddf5dfbba1c7f798a64596deb0714812558b45a2f4bc125c36 at 2016-04-10 00:39:30 UTC - VirusTotal

Metadefender Cloud

These show it as more potentially malicious:
Latest Submissions · Free Automated Malware Analysis Service - powered by VxStream Sandbox

Waiting on Comodo:
Comodo Instant Malware Analysis


Since the major vendors are OK with it, I can safely assume it's a FP, correct? (the vendor is closed for the next 72hrs. New laptop, otherwise I would wait.

Thanks!
 
  • Like
Reactions: Logethica
S

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
  • Like
Reactions: Logethica and Dirk41
H

hjlbx

Solution is simple... when in doubt, don't use file. Wait some time - a few weeks at least - and then check again.

If you allow it to execute on your system, then all bets are off.

Run it in sandbox, virtual session or virtual machine. Even then you can't always be sure it is safe.

Also, look at vendors who are detecting; some are better at identifying malicious files than others.

Kaspersky is better than Aegis, for example. Some vendors are much more prone to heuristics false positives.

As @yesnoo points out, use Valkyrie... and wait 6 months to a year for manual technician reply... LOL.

I recommend Dr Web for manual analysis.

I use 5/* detection rule, and then also look at which engines are detecting.

If I have doubts, I don't execute.
 
  • Like
Reactions: soccer97, shmu26, Ana_Filiz and 2 others
D

Deleted member 2913

Sorry, you will not be able to upload to Valkyrie. File size limit is 25MB & the file in question is 28MB. I just tried & let you know.
 
  • Like
Reactions: Logethica
Atlas147

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
I think if you are really suspicious of the file then send it in to the AV vendor you use, eg if you are using ESET send it to the ESET undetected malware link so they can analyse it and give a verdict if it's malware or not.

Who knows, maybe your password manager's site was hacked and the update was swapped with a malware sample, and you could be the one reporting it to the rest of the vendors.

Normally I would run the program in a sandbox when in doubt, but seeing as this program manages your passwords I think it woudn't be a good idea to run it even in a sandbox. Either continue using it without the update until you can be sure, or change your program to another one with a better reputation.
 
  • Like
Reactions: uncle bill and Logethica
S

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
Hanmin147 said:
I think if you are really suspicious of the file then send it in to the AV vendor you use, eg if you are using ESET send it to the ESET undetected malware link so they can analyse it and give a verdict if it's malware or not.

Who knows, maybe your password manager's site was hacked and the update was swapped with a malware sample, and you could be the one reporting it to the rest of the vendors.

Normally I would run the program in a sandbox when in doubt, but seeing as this program manages your passwords I think it woudn't be a good idea to run it even in a sandbox. Either continue using it without the update until you can be sure, or change your program to another one with a better reputation.
Click to expand...


I reported it to Ikarus and the vendor, will wait till I hear back. Not worth the compromise. Thanks!
 
  • Like
Reactions: uncle bill, Logethica and ForgottenSeer
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Even though Virustotal implement the mechanism to check if the file is a benign from those malicious detection hence you need to be vigilant on the file.

Number one way is to determine the location of the file then next test for suspicious behavior if you think its been likely altered.
 
Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Talking about Cuckoo sandbox, my Avira extension blocks its download link indicating it's a Malware website.
I could analyse the file after download, but not sure about the url, though secure. Is it safe to proceed with the download (is this the right malwr cuckoo?)?
 
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
If your VT results are from low level fringe Av's I wouldn't worry. It's probably false positive.

But if Norton, Kaspersky, Emsisoft, CrowdStrike are flagging it as malware I would stand up and take notice.
 
  • Like
Reactions: askmark and shmu26
S

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
Thanks to all. I have learned several lessons: When viewing VirusTotal results - look at the reputation of the vendor when judging a file's legitimacy.

VTotal may not be up to date/correct and it can take a few days for it to detect a virus in a file, or it may be reported as a FP for a few days and have to be corrected.

Hybrid-Analysis was useful. The vendor is a trusted one - and I was pretty sure it was either a FP flag or a mistake. My speculation is that it was due to inclusion of a new/different auto-fill engine that may have set off alarms. All is good. I waited a week before installing it.

Thanks to all who mentioned the above resources. They could be added to the community as in what to do when you find a FP/Report a malicious file section.

Short version : False Positive due to unknown reason. Resolved.
 
You must log in or register to reply here.

Similar threads

ShenguiTurmi
    • Like
    • +Reputation
MITRE ATT&CK Evaluation 2023 Results Collation/Subjective Ranking
Replies
9
Views
1,080
Security Statistics and Reports
ShenguiTurmi
ShenguiTurmi
Adrian Ścibor
    • Like
    • Applause
    • +Reputation
AVLab.pl Threat landscape and the results of protection based on telemetry data of malware in the wild (March 2023)
Replies
13
Views
1,694
Security Statistics and Reports
Muddy7
M
Gandalf_The_Grey
    • Like
AdGuard Blog: Introducing the brand new Knowledge base
Replies
0
Views
537
AdGuard
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top