Sign in to follow this  
zer0nix

How do you check for false positives?

Recommended Posts

a lot of the trojans that adaware is detecting are somehow slipping by the full array of virus detecting software on virustotal and jotti, which raises the following questions:

first, what does this mean? are these false detections? (a lot of the files that are turning up as such are 'no cd' exes that bypass cd checking, so i really HOPE these are false positives; i'd rather not have to wrangle with a drawer full of cds!)? furthermore, are there any other reliable, free virus scanning websites other than virustotal and jotti for confirming the presence of malware? finally, how do y'all check for false positives?

PSS: imho these websites deserve a mention in the 'useful free tools' sticky under 'general support.'

Share this post


Link to post
Share on other sites
Hi zer0nix,

[quote]a lot of the trojans that adaware is detecting are somehow slipping by the full array of virus detecting software on virustotal and jotti, which raises the following questions: first, what does this mean? are these false detections?[/quote]
It means that these files have attributes that cause them to be flagged as detected! :)

Seriously though, because of the sheer volume of malware seen these days, we need to have more efficient detection routines. In the past, we would have used one signature to detect one file (1:1 detection ratio). If we see tens of thousands of new samples every day, it means that we would need to add tens of thousands of new detection routines every day. This would have a huge impact on update sizes.

Instead, we use other detection techniques, like behavioural analysis, runtime analysis using an emulator and other triggers that would indicate a malicious file. These detection routines have a 1:many detection ratio, which means we can catch more malware without having to use so many detection routines.

However, sometimes, non-malicious files have similar attributes to malware (as a very basic example, maybe it's packed with a packer commonly used by malware or has other similarities) and they can be detected from time to time. This would be a false positive.

[quote]are there any other reliable, free virus scanning websites other than virustotal and jotti for confirming the presence of malware?[/quote]
Virus Total & Jotti are easily the best but it's not a cast iron guarantee that the files you upload are malware. It should just be treated as an indication that it could be malware.

[quote]how do y'all check for false positives?[/quote]
We re-investigate the file & if it is a false positive, we fix the detection routine that caused it.

[quote]imho these websites deserve a mention in the 'useful free tools' sticky under 'general support[/quote]
I like this idea!

Andy
Lavasoft Malware Labs

Share this post


Link to post
Share on other sites
[quote]are there any other reliable, free virus scanning websites other than virustotal and jotti for confirming the presence of malware?[/quote]
One more: [url="http://virscan.org/"]http://virscan.org/[/url]

[quote]PSS: imho these websites deserve a mention in the 'useful free tools' sticky under 'general support.' [/quote]
Please, add them and other tools you think are good to [url="http://www.lavasoftsupport.com/index.php?/topic/24927-useful-free-tools/"]http://www.lavasofts...ful-free-tools/[/url]
I have opened the topic now.

[quote]Virus Total & Jotti are easily the best but it's not a cast iron gurantee that the files you upload are malware. It should just be treated as an indication that it could be malware.[/quote]
And vice verse, sometimes malicious files are not detected by any of the programs. The command line scanners used by these websites often has less detection capabilities than the corresponding program when it is installed in a computer.

Share this post


Link to post
Share on other sites
Sign in to follow this