Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 491075

[GUIDE] VirusTotal False Positive How to know ?

by Barry - 05 June, 2021 - 04:02 PM
This post is by a banned member (Barry) - Unhide
Barry  
Staff
17.547
Posts
8
Threads
Staff Team
5 Years of service
#1
I am going to share some tips to help you know if a Virus Total detection may or may not be a false positive.

Obviously this is not 100% certain as there are many virus writers who leave their Trojans or other malware undetectable, but it can be a good start when in doubt.

Always before the slightest doubt, install the program detected as malware in a VM or Windows Sandbox and monitor its behaviour.


If you know some other ways other than these mentioned one, do share in posts below .

Here are the tips:

1)
 You got it from the official site, it's not impossible but unlikely to be bad

2) The antivirus that detects it is not one of the well-known ones, and it's the only one

3) Combine low detection rate with the age of the file (First Submission Time in the Details tab in VirusTotal): If it's a few months old, it's most likely clean. Old malware doesn't stay on low detection rates for that long.

4) Check the hash values of our download, we can go to the website of the developer of the program for which we have the installer and look for the MD5, SHA-1, SHA-256 code, etc. of its original installer. Once we have the two codes available, that of our downloaded file and that of the installer or software from the developer's official website, we can compare both and see if they match and our file is reliable or not.

5) Check if the file is signed and if that sign is valid. You also see that in the VirusTotal Details tab. Things like adware and unwanted programs can also be signed. But if you trust the company or organization that signed it, the file is most likely clean.



Example of a false positive:VirusTotal[Image: vt_false_positive.png]

[Image: vt_false_positive1.png]

[Image: vt_false_positive2.png]


How do I know that this detection is a false positive?


I have followed the advice shared above and I can assure you with high probability of certainty that it is a false positive because:

1) I am a beta tester for this company and have downloaded the file from a secure developer site.

2) AV that detects an adware is an unknown antivirus and it's the only one, does anyone know Jiangmen? The truth is the first time I see that AV.

3) The detection date and the file is new because it is a file that is in development, in this case the date is not useful.

4) I have compared the hashing algorithms of the downloaded file and they match those published by the developer on their website.

5) The file is signed, the signatures are valid and one of the signatures corresponds to that of the developer for which I am sure it is a legitimate file.



Some Other Tips:

1. The name itself. Often we will see a mix of the words, Something-Generic-somethingGen-somethingPUA (Possible Unwanted, Application)Hacktool-xxxMalicious-xxxxGen_TrojanRiskTool, and in general not a specific virus name. The above can also be seen in variations like PUS (software) or PUF (file). The reason those names often pop is because of either the heuristic function, which essentially tries to guess if a part of code inside a program is a virus, based on some known code patterns or because after some time the medicine that is included along with programs get detected as a virus by the AV to scare/warn people.

2. We won't see the same virus name repeat on several antivirus engines concurrently and consistently. Some a/v will show one name, and, some others will show a different. If it was indeed a known virus, most AV will show the same name or the same sub variation.

As an example, look at the screen below and you will see exactly what I described above. Generic names (hacktool, Generic, malicious, etc) and each engine give its own name. You can understand how fake some programs and results are just by looking at the name. W32.AIDetectVM... AI as in Artificial Intelligence which is simply a catchphrase used from marketing to impress.


[Image: chrome_2020-11-24_14-49-36.jpg]

Needless to say, no matter what, attention to detail and caution must be exercised always. Remember to scan the "medicine" as well as the main app. Don't be afraid to ask if you are not sure but don't wear the tinfoil hats either.
This leak has been rated as working 4 times this month. (17 times in total)
This leak has been rated as infected 1 times this month. (3 times in total)
[Image: uWztodn.gif]

[Image: 9Oq6tka.gif]
PRIVATEALPS.NET - Offshore Cloud Services - Dedicated Servers - TOR Friendly - DMCA Ignored 

Instant Deploy

Telegram : @PrivateAlps

Paid Advts Above----> I don't own above linked services, contact respective ownesr of the services for queries and issues
This post is by a banned member (Alex) - Unhide
Alex  
Trial Moderator
2.424
Posts
891
Threads
Staff Team
5 Years of service
#2
Going to add this thread link to my pinned thread in cracked programs Pepelove
TOP AND BOTTOM SIGNATURES AVAILABLE CHECK!
https://cracked.io/Thread-Staff-⭐⭐⭐-ALEX...O-2-MONTHS
[Image: jpx1TEv.gif]

For account recoveries and 2FA issues, contact @Liars or @Darkness
For any upgrade/purchases-related issues, please contact @KSZ


Alert: Replies may take up to 48 hours.
This post is by a banned member (XXXTENTACION) - Unhide
This post is by a banned member (Haxzo_op) - Unhide
Haxzo_op  
Infinity
61
Posts
19
Threads
4 Years of service
#4
[font]Thank you sir for the useful information [/font] Smart
All Thanks to @Barry For always Being there  Pepelove
This post is by a banned member (Barry) - Unhide
Barry  
Staff
17.547
Posts
8
Threads
Staff Team
5 Years of service
#5
(07 June, 2021 - 02:49 PM)Haxzo_op Wrote: Show More
[font]Thank you sir for the useful information [/font] Smart

:pepo: PepeBlush Sharing is Caring
[Image: uWztodn.gif]

[Image: 9Oq6tka.gif]
PRIVATEALPS.NET - Offshore Cloud Services - Dedicated Servers - TOR Friendly - DMCA Ignored 

Instant Deploy

Telegram : @PrivateAlps

Paid Advts Above----> I don't own above linked services, contact respective ownesr of the services for queries and issues
This post is by a banned member (Fez) - Unhide
Fez  
Galactic
4.073
Posts
2.489
Threads
4 Years of service
#6
Great guide and very informative!
This post is by a banned member (FairyOnline) - Unhide
71
Posts
23
Threads
3 Years of service
#7
Wow! Just wow....thank you for your contributions, Barry....Really....WOW! Wow
The thing is that I am not a YouTuber so I am not gonna beg you for likes

but know this, that liking my threads & rep'n me helps me a lot
& motivates me to upload more such content.


So you know, you should just do it!
This post is by a banned member (Barry) - Unhide
Barry  
Staff
17.547
Posts
8
Threads
Staff Team
5 Years of service
#8
This is a bump
[Image: uWztodn.gif]

[Image: 9Oq6tka.gif]
PRIVATEALPS.NET - Offshore Cloud Services - Dedicated Servers - TOR Friendly - DMCA Ignored 

Instant Deploy

Telegram : @PrivateAlps

Paid Advts Above----> I don't own above linked services, contact respective ownesr of the services for queries and issues

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 8 Guest(s)