Jump to content

Why the engine for Virustotal is at max sensitivity and no F/P mitigation?


Recommended Posts

People uses Virustotal to see if an file already detected by his/her antivirus is really a false positive or real virus, specially when download files from direct download pages "not official" but also when download for other reasons (APK of app no available legally at your country, or software than block your country)

I say, your engine for VT should have same level than comercial product as "default"

Link to post
Share on other sites
  • Staff

Greetings,

While I cannot speak for the Researchers or Developers, my guess would be that they likely keep some of the more aggressive heuristics enabled on VT for the sake of training and improving those components over time by exposing them to more files (both clean and malicious).

That said, any time you see any engine, including on VT, detecting anything with the terms 'AI', 'GEN', 'GENERIC', 'TROJAN.AGENT', or similar it is likely to be a heuristics based detection meaning it is quite possibly a false positive.  This unfortunately happens more often these days than ever since many AVs share engines and/or databases between them as some AV vendors license their databases/engines to other vendors for profit, diluting the value of the results from multi-engine scans such as VT.  Often this will be evident when two engines identify the same file with the same exact vendor name/threat name, but some of them deliberately modify the naming even when the detection comes from the same shared engine/signature so this is not a 100% effective way to identify when this might be the reason for two products detecting the same file.

As for Malwarebytes' results specifically, any time you see the term 'AI' as part of the threat name, it is coming from Malwarebytes' Machine Learning component.  Likewise, whenever you see a threat identified with a string similar to 'Malware.Hueristic.####', it comes from the more recent expert algorithm component which is still experimental.  I am not certain which components are and are not enabled for VirusTotal, so I'm not sure whether you would ever see certain detection types on VT or not from Malwarebytes.

Edited by exile360
Link to post
Share on other sites
3 hours ago, leo3487 said:

I say, your engine for VT should have same level than comercial product as "default"

The issue currently is that Virus Total is having issues reaching Malwarebytes whitelisting cloud server at this time.

Resulting with anything that MB whitelists in the program is not reflected in the VT results.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.