What can we do about distingushing true malware detection & false positives?

Discussion in 'Software' started by conceptualclarity, May 14, 2013.

  1. conceptualclarity

    conceptualclarity Sergeant

    I've learned about the vulnerabilities of downloads, so I've been scanning new downloads, especially with VirusTotal scan. When you see one or two or three hits, how do you know whether this is one or a few services picking up a real malware item most are missing, or whether it is another example of the unquestionably large phenomenon of false positive detections?

    I know Nir's items like WebBrowserPassView are not malware. I know when ClamAV is the only malware detector on the list, it's likely false positive. I know now, from ClamAV's own forum, that PUAs are probably false positives.

    I downloaded AppRemover and when doing the VT scan, it got hits from TrendMicro-HouseCall--"TROJ_GEN.F47V0414" and Symantec--"WS.Reputation.1" I have read that Norton is especially bad at labelling good products malware. I don't know about TrendMicro.

    I have learned some things, but clearly there's so much more to know. Where does one read up and learn about this?
     
    conceptualclarity, May 14, 2013
    #1
  2. satrow

    satrow Major Geek Extraordinaire

    Use common sense, if it's flagged, it's for a reason; Nir Sofer's tools, and some by Mark Russinovich, have been used by hackers in the past.

    I'm really not sure where the 'best' place is to learn about these things, most A/V companies are pretty vague about details (some tend towards scaremongering in my book).

    Most A/V's use some kind of 'predictive' heuristics/reputation algorithm - basically, it guesses based on previous records/reports etc.

    Firstly, explore and study all the options in Virustotal; More details, Additional information and Comments, if there are any.

    As an example, when there are a high number of A/V's flagging a file as 'gen', 'like ... ', 'pupack', 'pack', 'heuristic', 'suspicious', etc. but few or none with a definitive virus/malware label, it may be a benign file packaged by a tool that has been used by hackers to compress their malware.

    The below file when unzipped contained 3 files, only one of those was flagged - by only one A/V - and that was a 'gen' detection. *Better to be safe than lose your ID/Paypal etc. though - if in doubt - don't touch it!
     

    Attached Files:

    satrow, May 14, 2013
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds