Jump to content

How Reliable Are Virustotal.com Results!


manu

Recommended Posts

https://www.virustotal.com first analyses md5 checksum of a file and if that md5 matches with the previously analysed file then the site gives old results even if u reanalyse it

EXAMPLE:

Download impostor patch for IDM from his site

http://www.de-compiler.me/

http://www.de-compiler.me/downloads/keygens/Tonec.Inc.Internet.Download.Manager.v6.xx.WinALL.Incl.Keygen.and.Patch-UnREaL.zip

and analyse .exe on virustotal : 7/46 (even if u reanalyse it)

https://www.virustotal.com/en/file/9d8ddeb48b84ef3c9afc51c99620268d29fcc65a7e4ba0b0d4dcb052ce436524/analysis/1367919937/

now download MD5 hasher 1.0

http://www.softpedia.com/progDownload/Rain-MD5-Hasher-Download-151896.html

and change the MD5 checksum of .exe file and again analyse it on virustotal 3/46

https://www.virustotal.com/en/file/7f52834df78597e2fee3a0c63f02dd1f657d7d5b8f796e065c81351ba3386688/analysis/1367920378/

.exe file with md5 changed :http://ge.tt/3rH7tyf/v/0

same goes for iota patch from 20/46 it becomes 15/46

Link to comment
Share on other sites


  • Replies 15
  • Views 2k
  • Created
  • Last Reply

That probably depends on virus engines of antiviruses that virustotal uses. It has nothing to do with them. That just shows how some antiviruses are poor and not reliable since they use MD5 in their databases for detection.

Cheers ;)

Link to comment
Share on other sites


Nice information! Really thanks!

Also, how do we trust software here that has a detection rate of let say 2/45 and it came from a new member?

Link to comment
Share on other sites


how do we trust software here that has a detection rate of let say 2/45 and it came from a new member?

i don't think new or old make any difference. " TO ERR IS HUMANE"

any body can make a mistake or sometimes unknowingly can post a infected file

but if virustotal says 2/45 then whats the problem, its falsely high detection rate that u should be worried about

:)

PLUS just a note "SYMANTEC" is included in those antivirus which depends on MD5

Link to comment
Share on other sites


AlienForce1

One explanation is how the multi-scan is done by the 46-AVs and the versions used by VirusTotal -> they don`t use the latest AV versions .

One example to make myself clear : a file scanned on VirusTotal is declared clean by Kaspesky`s version of VirusTotal but infected by the latest version used in my PC ... (and not just once...)

Link to comment
Share on other sites


  • Administrator

Changed the title, all Caps lock is a bit rough. ;) Also, moved to Security and Privacy Center.

I agree though, cannot blame VT for this.

And I was all ready to blame Symantec for this nonsense, but then I read it's verdict: "WS.Reputation.1". The reputation part suggest that it's marking is hash and community based, and it doesn't consider the actual file unsafe, meaning, purposely putting a false flag, because it's a fix. -_- So yeah, now I can slam Symantec for such a cheap scaring tactics. :P

Link to comment
Share on other sites


So judging by different scan results for the same file, I will not consider using this kind of antivirus in the future...

  • AhnLab-V3
  • Comodo
  • Fortinet
  • Ikarus
  • McAfee(This was always a poor antivirus :P)
  • Panda
Link to comment
Share on other sites


VirusTotal is just an indicator of what various AV engines think about the file in question (which is not too important.)

The more important point is what the human element thinks - ideally, I'd stick to using stuff from known sources only (and/or home-cooked releases.)

Link to comment
Share on other sites


You just need to look at detection name of well known vendors...

Many vendors have heuristics that will name detections in the same way, even if there is a huge difference between scanned files/malware...

Many vendors doesn't describe detections well, like in these examples. Trojan description could mean anything, but Riskware Tool means different, and more precise...

Look at this detection Trojan-GameThief.Win32.OnLineGames - makes me laugh....

Link to comment
Share on other sites


SnakeMasteR

Put a virus with high detection rate into a Excel document and upload it to VT, then create the

same Excel document but this time with password protection and then upload it again to VT,

now see the surprise, it's magic. :P

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...