manu Posted May 7, 2013 Share Posted May 7, 2013 https://www.virustotal.com first analyses md5 checksum of a file and if that md5 matches with the previously analysed file then the site gives old results even if u reanalyse itEXAMPLE:Download impostor patch for IDM from his site http://www.de-compiler.me/http://www.de-compiler.me/downloads/keygens/Tonec.Inc.Internet.Download.Manager.v6.xx.WinALL.Incl.Keygen.and.Patch-UnREaL.zipand analyse .exe on virustotal : 7/46 (even if u reanalyse it)https://www.virustotal.com/en/file/9d8ddeb48b84ef3c9afc51c99620268d29fcc65a7e4ba0b0d4dcb052ce436524/analysis/1367919937/now download MD5 hasher 1.0 http://www.softpedia.com/progDownload/Rain-MD5-Hasher-Download-151896.htmland change the MD5 checksum of .exe file and again analyse it on virustotal 3/46https://www.virustotal.com/en/file/7f52834df78597e2fee3a0c63f02dd1f657d7d5b8f796e065c81351ba3386688/analysis/1367920378/.exe file with md5 changed :http://ge.tt/3rH7tyf/v/0same goes for iota patch from 20/46 it becomes 15/46 Link to comment Share on other sites More sharing options...
Mr Orus Posted May 7, 2013 Share Posted May 7, 2013 B) thanks for sharing :coolwink: Link to comment Share on other sites More sharing options...
mara- Posted May 7, 2013 Share Posted May 7, 2013 That probably depends on virus engines of antiviruses that virustotal uses. It has nothing to do with them. That just shows how some antiviruses are poor and not reliable since they use MD5 in their databases for detection.Cheers ;) Link to comment Share on other sites More sharing options...
nIGHT Posted May 7, 2013 Share Posted May 7, 2013 Nice information! Really thanks!Also, how do we trust software here that has a detection rate of let say 2/45 and it came from a new member? Link to comment Share on other sites More sharing options...
manu Posted May 7, 2013 Author Share Posted May 7, 2013 how do we trust software here that has a detection rate of let say 2/45 and it came from a new member?i don't think new or old make any difference. " TO ERR IS HUMANE"any body can make a mistake or sometimes unknowingly can post a infected filebut if virustotal says 2/45 then whats the problem, its falsely high detection rate that u should be worried about :)PLUS just a note "SYMANTEC" is included in those antivirus which depends on MD5 Link to comment Share on other sites More sharing options...
nIGHT Posted May 7, 2013 Share Posted May 7, 2013 You're right and thanks for replying, Manu! :D Link to comment Share on other sites More sharing options...
Ramjade Posted May 7, 2013 Share Posted May 7, 2013 One way to check Look out for stuff like : Not-a-virus, Patch, riskware. Link to comment Share on other sites More sharing options...
AlienForce1 Posted May 7, 2013 Share Posted May 7, 2013 One explanation is how the multi-scan is done by the 46-AVs and the versions used by VirusTotal -> they don`t use the latest AV versions .One example to make myself clear : a file scanned on VirusTotal is declared clean by Kaspesky`s version of VirusTotal but infected by the latest version used in my PC ... (and not just once...) Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted May 7, 2013 Administrator Share Posted May 7, 2013 Changed the title, all Caps lock is a bit rough. ;) Also, moved to Security and Privacy Center.I agree though, cannot blame VT for this.And I was all ready to blame Symantec for this nonsense, but then I read it's verdict: "WS.Reputation.1". The reputation part suggest that it's marking is hash and community based, and it doesn't consider the actual file unsafe, meaning, purposely putting a false flag, because it's a fix. -_- So yeah, now I can slam Symantec for such a cheap scaring tactics. :P Link to comment Share on other sites More sharing options...
Ashish Posted May 8, 2013 Share Posted May 8, 2013 IDM babel patch shows 36/46 Link to comment Share on other sites More sharing options...
manu Posted May 8, 2013 Author Share Posted May 8, 2013 IDM babel patch shows 36/46Virus total report https://www.virustotal.com/en/file/80725340b7830288dfe4969eb070a542516a040efc2c1e6473b6051d086f46ab/analysis/1367990660/after changing MD5 its 31/46https://www.virustotal.com/en/file/349338e753aff5b871393cd3216174cf31ad623b55ad4cdbaf51c66fd47969af/analysis/1367990776/ Link to comment Share on other sites More sharing options...
Zex Posted May 8, 2013 Share Posted May 8, 2013 So judging by different scan results for the same file, I will not consider using this kind of antivirus in the future...AhnLab-V3ComodoFortinetIkarusMcAfee(This was always a poor antivirus :P)Panda Link to comment Share on other sites More sharing options...
dcs18 Posted May 8, 2013 Share Posted May 8, 2013 VirusTotal is just an indicator of what various AV engines think about the file in question (which is not too important.)The more important point is what the human element thinks - ideally, I'd stick to using stuff from known sources only (and/or home-cooked releases.) Link to comment Share on other sites More sharing options...
MAXS Posted May 8, 2013 Share Posted May 8, 2013 You just need to look at detection name of well known vendors...Many vendors have heuristics that will name detections in the same way, even if there is a huge difference between scanned files/malware...Many vendors doesn't describe detections well, like in these examples. Trojan description could mean anything, but Riskware Tool means different, and more precise...Look at this detection Trojan-GameThief.Win32.OnLineGames - makes me laugh.... Link to comment Share on other sites More sharing options...
SnakeMasteR Posted May 8, 2013 Share Posted May 8, 2013 Put a virus with high detection rate into a Excel document and upload it to VT, then create thesame Excel document but this time with password protection and then upload it again to VT,now see the surprise, it's magic. :P Link to comment Share on other sites More sharing options...
MAXS Posted May 8, 2013 Share Posted May 8, 2013 It is normal, if it is encrypted, logically it will be hidden... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.