1. Duplicate accounts are absolutely forbidden on our forum! - One person, one account. We have an automated detection system in place, you will be automatically banned or restricted with all Likes removed - no second chances!

VirusTotal

Discussion in 'General Chat' started by CyberKnight, Dec 4, 2018.

  1. CyberKnight

    CyberKnight is a Verified Warez PosterCyberKnight DEV Guild Member DEV Guild

    Joined:
    Apr 5, 2017
    Messages:
    1,590
    Likes Received:
    19,713
    Lately, observed members reporting potential virus on program using "VirusTotal" results.
    Some even reported program with detection ratio of <10% (aka >90% clean).
    This make our hardworking moderators work even harder.

    Maybe there should be some guidelines on when to report a suspicious program.

    [1] VirusTotal
    What is a recommended trigger value on the detection ratio ?
    e.g more than 15% of the engines reported potential virus infection

    Anyone has experience on a reasonably safe detection ratio ?

    [2] SandBox Environment

    If [1] (e.g detection ratio > 15%) is met, the member preferably test the program under a SandBox environment.
    From the SandBox environment, changes made can be observed.
    If there are suspicious activities, then it is time to inform Moderators of potential virus threats.

    What do you folks think ? ;)

    SandBox Environment
    When testing an unknown or suspicious program (e.g. keygen, patcher etc), use a sandbox environment.
    Changes are made in this sandbox environment, which is isolated from the rest of your system.
    This keep you safe from unstable & malicious program, part of an adware bundle, or even a virus.
    And all you have to do is ... simply delete the offending article from your system.

    Virtual Environment
    It is more difficult to tell where the changes are made in a virtualized enviroment.
    But it does keep the rest of the system isolated.
    SandBox Environment
    [1] Sandboxie
    https://www.sandboxie.com

    [2] Shadow Defender
    http://www.shadowdefender.com/

    [3] SHADE Sandbox
    http://www.shadesandbox.com/

    Virtual Environment
    [4] VirtualBox
    https://www.virtualbox.org/wiki

    [5] VMWare Workstation
    https://www.vmware.com/products/workstation-player.html
     
    Last edited: Dec 4, 2018
  2. sxzbisid

    sxzbisid is a Trusted Warez Postersxzbisid DEV Guild Member DEV Guild Reverser

    Joined:
    Jul 11, 2017
    Messages:
    275
    Likes Received:
    3,848
    I would suggest prioritize reports of serious AV engines instead of detection ratio, there's a lot of "no-name" AV engines on the list reporting every exe packer ever used for a malware.

    And what is serious AV engine? I vote for Eset, Kaspersky, Avast, BitDefender and AVG.
     
  3. Markat

    Markat is a Trusted Warez PosterMarkat P.I.T.A. Staff Member Administrator B4A Designer DEV Guild Board4all Friend

    Joined:
    Dec 12, 2004
    Messages:
    83,572
    Likes Received:
    502,256
    :D you must be new to warez? There are guidelines pinned in the application section. You can always post any questionable results and ask @Challenger or @JonArbuckle and several others to explain the results. More often than not, they are false positives.
     
  4. Tiz

    Tiz Registered User

    Joined:
    Jan 12, 2019
    Messages:
    13
    Likes Received:
    24
    The problem is that false alerts have become so common that the AV industry now has to use whitelisting and similar techniques.

    I agree with sxzbisid that you should concentrate on [somewhat] "reliable" engines. In addition to the engines already mentioned, I would also look at Emsisoft, F-Secure and Gdata.

    Not sure whether the proposed sandbox test is ideal for the "average Joe". Moreover, sophisticated malware can detect virtual environments and then "hides"/does not run. I agree, however, that it is good to apply medicine within a virtual machine.

    I would generally suggest the following:

    1.
    Use a firewall with a comfy rules assistent (e.g. BiniSoft Windows Firewall control) and familiarize yourself with granular blocking (i.e. blocking specific of addresses so that, for example, your email programm can only connect to your specific email provider).

    2.
    Do not install an AV scanner that deeply integrates into your OS (these AVs can be more dangerous than the malware itself). Instead use this one: https://securityxploded.com/virus-total-scanner.php (convenient, relies on Virus Total multi scan).

    3.
    Do not use zero day stuff. Just wait a week until sufficient samples haven been submitted to the AV industry.

    4.
    Preferrably, download the original installer from the original software producer's website.

    5.
    Apply any medicine to the original software WITHIN a virtual machine (like Portable VirtualBox).

    6.
    Use a Hex editor and check whether the medicine has performed only minor modifications to the original software (i.e. compare original .exe or .dll with modified versions). Be very careful if the medicine trys to download content from the internet or place completely new files on your harddrive.

    7.
    Only therafter, copy the modified files to the software installation folder on your host machine.
     
    Last edited: Jan 17, 2019