- Downloaded
- 5.7 GB
- Uploaded
- 448.6 GB
- Ratio
- 78.11
- Seedbonus
- 134,973
- Upload Count
- 217 (223)
Member for 5 years
VirusTotal false positive - How to know?
I am going to share some tips to help you know if a VirusTotal detection may or may not be a false positive.
Obviously this is not 100% certain as there are many virus writers who leave their Trojans or other malware undetectable, but it can be a good start when in doubt.
Always before the slightest doubt, install the program detected as malware in a VM or Windows Sandbox and monitor its behavior.
Here are the tips:
1) You got it from the offical site, it's not impossible but unlikely to be bad
2) The antivirus that detects it is not one of the well-known ones, and it's the only one
3) Combine low detection rate with the age of the file (First Submission Time in the Details tab in VirusTotal): If it's a few months old, it's most likely clean. Old malware doesn't stay on low detection rates for that long.
4) Check the hash values of our download, we can go to the website of the developer of the program for which we have the installer and look for the MD5, SHA-1, SHA-256 code, etc. of its original installer. Once we have the two codes available, that of our downloaded file and that of the installer or software from the developer's official website, we can compare both and see if they match and our file is reliable or not.
5) Check if the file is signed and if that sign is valid. You also see that in the VirusTotal Details tab. Things like adware and unwanted programs can also be signed. But if you trust the company or organization that signed it, the file is most likely clean.
Example of a false positive:
How do I know that this detection is a false positive?
I have followed the advice shared above and I can assure you with high probability of certainty that it is a false positive because:
1) I am a beta tester for this company and have downloaded the file from a secure developer site.
2) AV that detects an adware is an unknown antivirus and it's the only one, does anyone know Jiangmin? The truth is the first time I see that AV.
3) The detection date and the file is new because it is a file that is in development, in this case the date is not useful.
4) I have compared the hashing algorithms of the downloaded file and they match those published by the developer on their website.
5) The file is signed, the signatures are valid and one of the signatures corresponds to that of the developer for which I am sure it is a legitimate file.
— Ok, this works when I download something from the official website of the author / developer / company, but what happens with the false positives of downloads from this forum?
— To know that, look at @Cyler's contribution below, it will be very helpful.
You must be registered for see links
I am going to share some tips to help you know if a VirusTotal detection may or may not be a false positive.
Obviously this is not 100% certain as there are many virus writers who leave their Trojans or other malware undetectable, but it can be a good start when in doubt.
Always before the slightest doubt, install the program detected as malware in a VM or Windows Sandbox and monitor its behavior.
Here are the tips:
1) You got it from the offical site, it's not impossible but unlikely to be bad
2) The antivirus that detects it is not one of the well-known ones, and it's the only one
3) Combine low detection rate with the age of the file (First Submission Time in the Details tab in VirusTotal): If it's a few months old, it's most likely clean. Old malware doesn't stay on low detection rates for that long.
4) Check the hash values of our download, we can go to the website of the developer of the program for which we have the installer and look for the MD5, SHA-1, SHA-256 code, etc. of its original installer. Once we have the two codes available, that of our downloaded file and that of the installer or software from the developer's official website, we can compare both and see if they match and our file is reliable or not.
5) Check if the file is signed and if that sign is valid. You also see that in the VirusTotal Details tab. Things like adware and unwanted programs can also be signed. But if you trust the company or organization that signed it, the file is most likely clean.
Example of a false positive:
You must be registered for see links
How do I know that this detection is a false positive?
I have followed the advice shared above and I can assure you with high probability of certainty that it is a false positive because:
1) I am a beta tester for this company and have downloaded the file from a secure developer site.
2) AV that detects an adware is an unknown antivirus and it's the only one, does anyone know Jiangmin? The truth is the first time I see that AV.
3) The detection date and the file is new because it is a file that is in development, in this case the date is not useful.
4) I have compared the hashing algorithms of the downloaded file and they match those published by the developer on their website.
5) The file is signed, the signatures are valid and one of the signatures corresponds to that of the developer for which I am sure it is a legitimate file.
— Ok, this works when I download something from the official website of the author / developer / company, but what happens with the false positives of downloads from this forum?
— To know that, look at @Cyler's contribution below, it will be very helpful.
Last edited:
