Why the detection differ's between VT and actual AV?

[woomera]

im sure this must have been answered before but cant find it.
why when VT shows i.e emsisoft finds a sample but in actual OS emsisoft doesnt?

and yes all options for detection are enabled and everything maxed out and upper sensitive.

i have seen this happen with Kaspersky/emsisoft/trendmicro/eset so its not just one product and many samples.

 

[Littlebits]

I'm sorry but what does VT stand for?

Thanks.

 

[woomera]

virustotal. i apologize i didnt mention it. thought its obvious

 

[Littlebits]

ok, I know what you are talking about and I have also witnessed VirusTotal detecting malware from AV engines when it is not detect by the installed AV.

Several times I have noticed this with Avast, after doing some checking the Avast engine on VT was just flagging false positives. The only thing that comes to my mind is maybe VT is not using current signatures that removed the false positive detections.

Another thing that I noticed is when you scan a url with VT if any part of that url has malicious links the complete url is listed as infected.

With most AV's you can go to the same url and it will not be detected unless you click one of the malicious links.

VT is not 100% reliable, it is a good start for references but I would depend more on my installed AV and my own knowledge by checking digital certificates of the file and verifying it is safe.

On VT results, always click on File detail and look for "Signature verification". if the file has " Signed file, verified signature" then it is safe no matter what the AV engines detect.

I'm not sure if VT has the option like most AV's which will ignore Signed files and will not detect them, maybe that it is reason for false positives detections.

I have seen files on VT detected as malicious because of adware like OpenCandy which to me is ridicules. Adware installers that have opt-out options should not be detected as malicious. These adware installers are digitally signed by many trusted sources and will not do anything malicious. Maybe install some junk trialware, toolbars, or change homepage and default search, but they always have opt-outs if the user pays attention. These adware are important to keep programs free.

Thanks.

 

[MalwareVirus]

yes i also face the same situation with comodo,a file detected by comodo IS in my computer but when i check it on VT ,on VT comodo shows nothing.

 

[woomera]

@Littlebits, your file signature theory actually makes a very good sense.the AV ignores files with verified signature perhaps.
the false-positive removal could be true with the old samples but i dont think so with new ones.

thanks the reply

 

[MalwareVirus]

"On VT results, always click on File detail and look for "Signature verification". if the file has " Signed file, verified signature" then it is safe no matter what the AV engines detect."

I really like your concept on malware checking as it is rock solid concept but i want to ask somthing if you don't mind i read here that some malware manage to bypass UAC or steal security certificete like i read in F secure H 1 report about "Kumar in the Mac" a malware who steal apple digital signature but even apple didn't know abot this but a researcher brings it in light then they know abot this.yes it is very rare case to bypass window security features but it can happen also some software has no digital signature but they are good also like open source software are free two modifiy .So my question is what step you took in that particular case.Like Jack sir wrote in a post about Hijack free or somthing like that application once download a malacious update so what step you taking in this particular case.I am asking for only info purpose becuase i raelly like your UAC concept.
Thanks

 

[Littlebits]

When UAC notification displays if you click "Show Details" then "Show information about this publisher's certificates" it will nail fake stolen certificates.

Yes in the past certifications had been stolen but this is extremely rare and they are blacklisted promptly. The chance of these bypassing UAC is also extremely rare but can happen if the user is reckless downloading suspicious files, but user who pay attention will probably never come across these files with stolen certificates.

Many free open-source software are not digitally singed but if make sure that you downloaded them from the vendors project site or a trusted download site like Softpedia then they are safe.

AV's are notorious to flag unsigned files even if they are completely safe.

Thanks.

 

[MalwareVirus]

Thanks for your valuable info