Systemic Malware Issues

ShallowTraveler · Jul 23, 2025

Quick backstory: I've been building up a collection of software (programs, dependencies, codecs, etc.) to have saved in an offline backup just in case I don't have access to something online or it is removed from the web. Some of that collection I have built up using MajorGeeks; the K-Lite Codec Pack for instance. But today I decided to be a bit more judicious and use VirusTotal on everything I was downloading from here as some of the programs were old & obscure or deprecated. Half of them came back with alerts to Snakelogger or malware. This includes SmartImage 4.0.8 which is under the Misc. Utilities section along with many of the portable games in the Games section. Now perhaps these are false positives but MajorGeeks says in their public statement that they use VirusTotal specifically as a sanity check on programs. So are they seeing these alerts and investigating further on some obscure game in their back catalogue? I doubt it. I no longer trust this site for anything and see it as actively malicious. Buyer beware. Maybe someone can correct me on this in the comments. I'm open to it.

DOA · Jul 23, 2025

MG has the best files as far as I can tell.

Start with their downloads, but their files are often attacked on download if your system has been compromised.

ShallowTraveler · Jul 23, 2025

You can just check for yourself instead of fabricate an insane story about virus' infecting the downloaded file and then VT flagging the download. I told you which file was flagged.

DangitallRedux · Jul 24, 2025

If you were to go looking around within the MajorGeeks downloads, you will see an occasional note along the lines of "this file gets hits on VirusTotal" or "your antivirus may pitch a snit", so maybe they missed putting that notice on a few write-ups. They are (hopefully) only human.

And, just for craps and giggles, how many of the scanners tripped on that specific file, and which ones? Not all scanners are created equal, and some are more error-prone than others.

ShallowTraveler · Jul 24, 2025

What do you mean "maybe they missed it"? I said VT flagged around half of the files i checked. If you cared to know the answer to any of those questions you would just check the file I mentioned and scan it yourself. You're just bored and want to talk. No time for this. There is a major problem on this site and none of you care.

satrow · Jul 24, 2025

Smartimage is currently flagged by 3/72 vendors. The few vendors I have any faith in don't flag it.

I'd say that they're false positives, anything actually malicious would be detected specifically by an awful lot more vendors.

Those vendors change over time, as do their classifications, detection rates and accuracy % levels. None are perfect though the better ones are very good. Some of the lesser known vendors may not review their detection accuracy as frequently as they might - but it all costs money.

There are times when a clean and useful component file is used as part of a malicious attack package, then the innocent file can become deliberately falsely flagged by vendors, though MS-owned files by Sysinternals usually become delisted, files by others, eg Nirsoft, rarely do.

Report the FP on the forum for Smartimage and see what they say?

I'm saying it's almost certainly clean.

ShallowTraveler · Jul 24, 2025

I don't care what you have faith in. This isn't about you. I don't care that you think they are false positives. This isn't about the veracity of the scan. If you read the title it says "systemic issue" because I found multiple files flagged by VirusTotal which MajorGeeks claims to SPECIFICALLY USE to check before posting. Are you able to read words?

satrow · Jul 24, 2025

Virustotal doesn't claim to be what your interpretation of their site is. It's a guide, rather like a pedestrian crossing. Yes, a sanity check would say that's the safest place to risk crossing a road.

Some of the better vendors there have discovered and written up guides on detecting malware eg. Fortinet and Snakelogger. Did Fortinet flag anything? Not when I had VT rescan Smartimage it didn't, nor for your scan a day or so earlier.

I'll install ESET as a second chance scanner, as my default MS Windows security never flagged Smartimage - have you run any real scans on your system yet? If not, why not, considering you're claiming some kind of exposure to malware?

ShallowTraveler · Jul 24, 2025

satrow said: ↑

Virustotal doesn't claim to be what your interpretation of their site is. It's a guide, rather like a pedestrian crossing. Yes, a sanity check would say that's the safest place to risk crossing a road.

Some of the better vendors there have discovered and written up guides on detecting malware eg. Fortinet and Snakelogger. Did Fortinet flag anything? Not when I had VT rescan Smartimage it didn't, nor for your scan a day or so earlier.

I'll install ESET as a second chance scanner, as my default MS Windows security never flagged Smartimage - have you run any real scans on your system yet? If not, why not, considering you're claiming some kind of exposure to malware?
Click to expand...

You, as well, cannot read. MajorGeeks using Virus Total. THEY say they use it to flag programs with issues. I've found 5 or so programs that VirusTotal flags. This has nothing to do with my system. You are a retard.

satrow · Jul 24, 2025

Steady on old chap.

https://www.majorgeeks.com/content/...ed_as_malware_and_how_to_safely_use_them.html

goodbye.

ShallowTraveler · Jul 24, 2025

satrow said: ↑

Steady on old chap.

https://www.majorgeeks.com/content/...ed_as_malware_and_how_to_safely_use_them.html

goodbye.
Click to expand...

This is about end users having programs flagged by their random malware scanners. The subject is MajorGeeks using VirusTotal to vet their programs. And my discovery that they are lying about using VirusTotal or perhaps any scanner. please learn to read.

satrow · Jul 24, 2025

I've been reading a very long time, sometimes I make mistakes (autopilot/guessing usually) just like the VT vendors do.

Reading and comprehension aren't always good bedfellows, especially when one is angry or honestly mistaken.

Read the above linked topic, it might help you understand a little better.

DangitallRedux · Jul 25, 2025

ShallowTraveler said: ↑

What do you mean "maybe they missed it"? I said VT flagged around half of the files i checked. If you cared to know the answer to any of those questions you would just check the file I mentioned and scan it yourself. You're just bored and want to talk. No time for this. There is a major problem on this site and none of you care.
Click to expand...

ShallowTraveler said: ↑

This is about end users having programs flagged by their random malware scanners. The subject is MajorGeeks using VirusTotal to vet their programs. And my discovery that they are lying about using VirusTotal or perhaps any scanner. please learn to read.
Click to expand...

There are occasional major problems on this site, as you say, but, if we wait long enough, they generally go away and take their foolishness with them.

You fail to understand what VirusTotal is and what it does.

I did try to scan the specific file you mentioned, but I got a "scan queued, please scan again later" and, as I've been busy, I have not had an opportunity to check again. I still haven't, and will not bother now.

@satrow points out that three out of seventy-two of the VT scanners tripped on your file. I asked which ones, and you failed to respond other than with an accusation that I'm bored and want to talk.

Please, if you are not willing to actually learn about the things you are so willing to spout off about, just go away and take your empty accusations with you.

ShallowTraveler · Jul 25, 2025

DangitallRedux said: ↑

There are occasional major problems on this site, as you say, but, if we wait long enough, they generally go away and take their foolishness with them.

You fail to understand what VirusTotal is and what it does.

I did try to scan the specific file you mentioned, but I got a "scan queued, please scan again later" and, as I've been busy, I have not had an opportunity to check again. I still haven't, and will not bother now.

@satrow points out that three out of seventy-two of the VT scanners tripped on your file. I asked which ones, and you failed to respond other than with an accusation that I'm bored and want to talk.

Please, if you are not willing to actually learn about the things you are so willing to spout off about, just go away and take your empty accusations with you.
Click to expand...

It's not "my scanner". It's Virus Total. Which MajorGeeks claims to use to vet files. Learn to read.

satrow · Jul 26, 2025 at 3:47 AM

ShallowTraveler said: ↑

Learn to read.
Click to expand...

That works both ways. As you've shown no indication of having read the article I linked to earlier, I'll post the content below. A teaser first:

Double check with VirusTotal: Virus Total allows you to upload any file for scanning by multiple antivirus engines, which gives you a better look into what you are dealing with from broader perspective. It s also a great tool to show how common false positives actually are. However, keep in mind that if you download a legit hacking tool and it is detected as a hacking tool -- you have a hacking tool, not a virus. https://www.majorgeeks.com/images/smilies/icon_smile.gif
Click to expand...

Please do yourself the courtesy of reading the full content, it's for your own good, not mine:

Recently, a reader of our newsletter called me to task for recommending software that Malwarebytes tagged as suspicious or a PUP. Rightly so, I think. I should have given a warning. We have written about PUPs and False Postives detections sometime ago, but this is an excellent time to discuss how tools from small developers often face an uphill battle regarding being recognized as safe.

Understanding why false positives happen from the perspectives of both the author and the antivirus company can help you make better, more informed decisions.

This is especially true for utilities from companies like NirSoft, Nirsoft Launcher is what I mentioned. Nir Sofer has been creating free utilities since 2001 and has published many excellent tools, almost all of which I use. Despite his long track record, antivirus programs often flag his software as malware or viruses. So much so that he and others have started locking their software behind password-protected zipped folders to help avoid initial detection, which doesn't make for a good user experience.

Let's look at the reasons behind these mislabeling issues, why these tools are generally safe to use, and uncover some lesser-known facts about small developers and false positives.

Top Reasons For Flagging

Software Heuristics
Antivirus programs rely heavily on heuristics to detect potentially harmful software. Heuristics are sets of rules or patterns used to identify malicious behavior. Tools from NirSoft, for example, often interact with system internals in ways similar to how malware operates. These utilities might access low-level system information, modify system settings, or extract passwords—actions that, while legitimate in the context of system diagnostics or recovery, resemble malicious behavior to heuristic-based detection systems.

Heuristics are designed to catch novel threats, but the practice has drawbacks. For instance, while testing a well-known antivirus program a few years ago, it used heuristics and detected my ntuser.dat as a virus trying to access my system. (Yeah, you read that right.) For those unfamiliar with it, ntuser.dat is part of the system registry -- Windows doesn't work without a registry. Fortunately, I have backups, but the incident highlighted the fine line that antivirus programs walk between protecting users and disrupting legitimate operations - in this case, fatally.

I am still a bit pissed about that, but here is one of the funnier false positives from a couple of years ago.

Lack of Code Signing
Code signing is where developers digitally sign their software with a purchased certificate verifying its integrity and origin. The price of a code signing certificate can range from $100 to over $500 per year. This cost can be prohibitive for small developers, freeware, and open-source guys. Small developers often must complete this step due to the cost and complexity involved. Antivirus programs are more likely to flag the software as suspicious without a digital signature. This lack of code signing doesn't mean the software is unsafe; rather, it has yet to undergo a verification process from a 3rd party.

Potential for Misuse
Many powerful tools can be misused, and NirSoft utilities are no exception. For example, his password recovery tools are invaluable for someone who has lost access to their accounts but can also be used maliciously to extract passwords from a compromised system. Antivirus companies tend to err on the side of caution, flagging these tools to prevent potential misuse by malicious actors. However, these tools are handy and safe for knowledgeable users.

Further, the dual-use nature of software tools is a common issue in cybersecurity. Tools like key recovery or network scanners can be essential for administrators. Attackers can also use them to find vulnerabilities and steal your software. This causes a tough choice of how to label these types of software for the antivirus company. Sometimes, it is right on their end to assume the user knows nothing and to err on the side of a warning/blocking.

Aggressive Behavior Patterns
Antivirus programs are designed to detect aggressive behaviors often associated with malware. This includes things like keylogging, network sniffing, and memory scraping. Tools from small developers that perform deep system-level tasks may exhibit these behaviors, even if they're intended for legitimate purposes. Some advanced tools, like those used for system monitoring or penetration testing (e.g., Wireshark), often get flagged because they can be used for legitimate and malicious purposes. Therefore, it is doubtful that you will ever be able to download a product like this without some warning.

Reputation and Trust
Software from well-known companies often benefits from an established reputation and is generally allowed out of the box. Small authors have different levels of recognition, making their software more likely to be flagged and often viewed as suspicious by default. When releasing a new version, News and Software Updater or MajorGeeks Windows Tweaks, we are permanently flagged as a virus and must write each company to get cleared before releasing it to the public. It's an arduous process. But this is why you often get some browser warning when downloading some sweet open source that we list that is hot off the presses.

More Reasons Why Small Author Tools Get Flagged by Antivirus

Infrequent Use: Antivirus programs also rely on community data to determine the safety of a program. If software is rarely used, it might be flagged simply because it needs more users to establish a trustworthy reputation.

Rapid Development Cycles: Small developers often release updates more frequently than larger companies. Each new version needs to be re-evaluated by antivirus software, which will have a unique hash (digital fingerprint). This constant stream of updates changes the hash and can lead to temporary flags as the antivirus software catches up with the latest version.

False Positives from Similarity: Antivirus programs use pattern matching to identify malware. A legitimate tool with code or behavior closely resembling known malware can be flagged as a false positive. Small developers, who might use common libraries or code snippets found in open-source libraries, can inadvertently trigger these false positives if a legitimate virus actually used that same library.

Why You Should Consider Tools from Small Authors

Niche: Small and hobbyist authors fill an important role in the software market and have niche software that you typically can not find anywhere else.

Price: Generally, software from small authors is either free, open source or very cost-conscious, especially for the quality.

Transparency: Many small developers are highly transparent about what their tools do and how they work. NirSoft, for example, provides detailed descriptions and documentation for each utility, explaining its purpose and functionality.

Community Trust: Tools from small authors often have a dedicated user base and receive positive reviews from tech communities. These endorsements can be a good indicator of the software's reliability and safety.

Updates and Support: Active development and regular updates are signs of a committed developer. Small developers frequently update their tools to fix bugs, add features, and ensure compatibility with the latest operating systems. Most times your request actually goes TO the developer and not some support queue.

How to Safely Use Tools from Small Developers

Download from Official or Trusted Sources: Always download tools from the developer's official website or a trusted source like MajorGeeks. Not to toot our own horn, but we have decades of education and experience in the area, which gives us unique insight into many of the tricks that suspect authors try to pull. We also set higher standards for what we publish.

Verify Checksums: Remember that "hash" number we talked about earlier? The hash function applies a series of mathematical operations to each chunk of data, designed to ensure that even a small change in the input data results in a significantly different hash value - making each file unique. Some developers provide the checksums (MD5, SHA-1, etc.) for their downloads. Verifying these numbers with a tool like Chk Hash Tool https://www.majorgeeks.com/files/details/chk.html can ensure that the software hasn't been altered.

Read Documentation: Familiarize yourself with the tool's documentation to understand its functionality any potential risks associated with its use. Decide if you genuinely want to keep it on your machine or want it for a single use.

Get Informed: Keep up with community discussions and reviews about the tools you're using. Other users' experiences can provide valuable insights and tips for safe usage. So, reading the comments of other users on the download page, or asking in the forums can offer great insight.

Know your software: Not all antivirus software is created equal. Each product balances protection and usability. Defender, for example, is tuned more for usability. On the other hand, apps like Sophos, Malwarebytes, and Eset are tuned for higher user protection and are, hence, prone to more false positives. So get used to double-checking if u are in that camp. Further, know what your software is reporting; if it uses a term like "generic" or "GEN.xx,x,". It is typically a heuristic hit. "Riskware" or "PUP" -- is typically a warning.

Double check with VirusTotal: Virus Total allows you to upload any file for scanning by multiple antivirus engines, which gives you a better look into what you are dealing with from broader perspective. It s also a great tool to show how common false positives actually are. However, keep in mind that if you download a legit hacking tool and it is detected as a hacking tool -- you have a hacking tool, not a virus. https://www.majorgeeks.com/images/smilies/icon_smile.gif

Use Antivirus Whitelist: When your antivirus program flags a legitimate tool, and you are certain you want the software, consider adding it to the whitelist after verifying its safety. Whitelisting is offered by all antivirus apps and prevent future false positives without turning off your antivirus protection. Each software is different. Check the documentation, but usually, it's just a few clicks.

Conclusion
Nothing is perfect in this world, which also applies to antiviral products. Sometimes, we still need human intervention to keep the machines in line. We have no issue with an antivirus product tagging a risky product as risky or erring on the side of caution. Taking preventive measures by antivirus programs to prevent misuse by malicious actors is a very reasonable position. Still, it does not mean the software is harmful if used responsibly and for legitimate purposes. You do not blame the paintbrush for the painting, right?

Our beef is tagging a known-good product as "malware" just because some knucklehead theoretically could use it for a bad reason. Doing so unjustly damages the author's reputation, unreasonably scares a user, and eventually trains people to ignore legitimate threats. Antivirus companies need to improve their reporting in this regard. If you want to read more on the topic chgeck out Talkin’ SMAC: Alert Labeling and Why It Matters at Radid7
Click to expand...

DangitallRedux · Jul 26, 2025 at 9:26 AM

ShallowTraveler said: ↑

It's not "my scanner". It's Virus Total. Which MajorGeeks claims to use to vet files. Learn to read.
Click to expand...

I never called it "your" scanner so, as @satrow suggests, perhaps it's you who needs to learn how to read.

I am done with this thread. You are simply a complainer who wants to whine and cry about something, anything. Goodbye.

TimW · Jul 26, 2025 at 11:56 AM

ShallowTraveler said: ↑

Quick backstory: I've been building up a collection of software (programs, dependencies, codecs, etc.) to have saved in an offline backup just in case I don't have access to something online or it is removed from the web. Some of that collection I have built up using MajorGeeks; the K-Lite Codec Pack for instance. But today I decided to be a bit more judicious and use VirusTotal on everything I was downloading from here as some of the programs were old & obscure or deprecated. Half of them came back with alerts to Snakelogger or malware. This includes SmartImage 4.0.8 which is under the Misc. Utilities section along with many of the portable games in the Games section. Now perhaps these are false positives but MajorGeeks says in their public statement that they use VirusTotal specifically as a sanity check on programs. So are they seeing these alerts and investigating further on some obscure game in their back catalogue? I doubt it. I no longer trust this site for anything and see it as actively malicious. Buyer beware. Maybe someone can correct me on this in the comments. I'm open to it.
Click to expand...

Let me suggest you email Corporal Punishment - jim at majorgeeksdot com. he checks all downloads for malware.

TimW · Jul 26, 2025 at 12:03 PM

ShallowTraveler said: ↑

You can just check for yourself instead of fabricate an insane story about virus' infecting the downloaded file and then VT flagging the download. I told you which file was flagged.
Click to expand...

Let' be civil! I've alerted Jim and he will respond as soon as he gets the alert.

TimW · Jul 26, 2025 at 12:05 PM

ShallowTraveler said: ↑

You are a retard.
Click to expand...

And you are about to be gone!

LauraR · Jul 27, 2025 at 6:23 AM

Thread closed. If you have any more comments or issues with the downloads, feel free to

TimW said: ↑

Let me suggest you email Corporal Punishment - jim at majorgeeksdot com. he checks all downloads for malware.
Click to expand...

Do not start another thread on the topic. We are all about discussion...you are being an ass and offensive. Do it again and you'll be banned.

Corporal Punishment · Jul 31, 2025 at 9:58 AM

Good golly - I have been down this road too many times, but I guess until antivirus gets better, we will continue.

Let's start by saying, your antivirus software is backward-looking. It tries, but really can't know something is a virus until after it is a virus. To combat this, they use several preemptive strategies. None of which is perfect. But the reality is - in the antivirus world - if it is new, it is probably a virus.

The file you are speaking of is a small open-source author. It is possible he used an open-source DLL file that does something like "scan for files on C:" or "open internet connection silently," that was used by a virus author in the past. The DLL is safe, but gets flagged over and over because it was used in a bad manner in the past.

Or the file does something that is suspicious behavior, so they flag it to be 'safe', like read WIFI passwords or something like that. It is safe, it is not a virus, but it COULD be used by a bad actor --- so it is a virus. This is like saying you could hang yourself with your shoelace, so shoelaces are illegal. Kinda silly, huh? Large companies like Adobe or Microsoft don't have this problem because they are permanently whitelisted. They can write software with a shoe laces in a noose wrapped around your neck -- but it will fly though.

The other thing is that it could just be new and unknown to the antiviral program. This is the case for my FileOrganizerThing.
https://www.majorgeeks.com/files/details/majorgeeks_file_organizer_thing.html

I wrote it. I know what it does. It does exactly what I say it does, but because some antivirus companies haven't seen it before. It is a virus. And unless one of you files a ticket with them saying it isn't a virus -- it is a virus.

Even if we write all the copies and they whitelist the software, the next version will be detected, nd you have to do it again.... and again... and again.

The OTHER thing is some of these guys share their definitions, then rename them. So if I detect something as gen malware.1 TimW may pay me for that information, I'll pass the hash - but he remains it Valiant.Nasty.Thing.24

And this is how you see what you are seeing.

Actually, if you want to see more on false positives, check here. You may be surprised. https://www.av-comparatives.org/tests/false-alarm-test-march-2025/

False positives are a pain in the ass, but I don't blame the companies for them too much. It's like the flu shot; they have to take a best guess, and sometimes they are wrong. But I understand that they are trying to protect their customer.

Like once my Credit Card number was detected as a virus because the number partially matched a hash of a known virus.

Once my photography was detected as a virus -- that was funny.

And the worst - once an antiviral company detected my ntuser.dat as a virus and deleted it..... yeah, you read that right.

Anyhow, I have written quite a bit on the topic; feel free to read. But the point is that antiviral apps and Virus Total are guides, not the truth, when dealing with small, new, or niche products.

We have been dealing with this sort of thing at MajorGeeks for over 25 years. We have tested tens of thousands of files, as humans. We use multiple tools for testing and evaluation with our users in mind. That is how we have established ourselves as one of the most trusted download portals on the planet. (That and all these super helpful Geeks in the forum solving problems. #ThanksGeeks!). If you don't trust it, cool - move on. But please don't show up with a 3 out of 72 virus total report, yelling "gotcha!" and picking fights with people who have dedicated a significant portion of their lives to tech and helping people with tech. That's not gonna fly here. We are about learning and helping.

Bottom line: We dig out fresh new software. If you download fresh new software, you WILL run into false positives and warnings because antiviral programs do a bad job of handling that sort of file.

Log in or Sign up

Systemic Malware Issues

ShallowTraveler Private E-2

Attached Files:

GwjGXd6XMAABI6j.jpg

DOA MG's Loki

ShallowTraveler Private E-2

DangitallRedux Corporal

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

DangitallRedux Corporal

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

DangitallRedux Corporal

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

LauraR MajorGeeks Super-Duper Administrator Staff Member

Corporal Punishment Head of Software Shenanigans Staff Member

Log in or Sign up

Systemic Malware Issues

ShallowTraveler Private E-2

Attached Files:

GwjGXd6XMAABI6j.jpg

DOA MG's Loki

ShallowTraveler Private E-2

DangitallRedux Corporal

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

DangitallRedux Corporal

ShallowTraveler Private E-2

satrow Major Geek Extraordinaire

DangitallRedux Corporal

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

LauraR MajorGeeks Super-Duper Administrator Staff Member

Corporal Punishment Head of Software Shenanigans Staff Member

Useful Searches