Example of Process Explorer and VirusTotal Ratios
As you've probably guessed, the displayed VirusTotal ratio indicates how many antivirus engines at VirusTotal reported the submitted executable (hash) as malicious. Currently, the list of antivirus engines is 67, but it goes up and down all the time. I’m not sure why some executables are inspected by all of the antivirus engines and not others, but regardless of the denominator (lower number), if the numerator (above the line) is greater than zero you could have malware.
If it says 1/57 or 2/57, however, it probably isn’t malware, but a false positive instead. On the other hand, I've seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If not, it could be malicious. But in general, if the numerator is 1, I usually relax. If it’s 2, I investigate a little bit more. But even most of the 2s end up being false-positives. The next screenshot shows examples of two false-positives, both related to the legitimate vendor, Winzip Computing.
Example of VirusTotal False-Positives
If you are not sure, simply click on the reported ratio, and it will take you to the VirusTotal page showing which AV engines did and didn’t report it as malware. VirusTotal also displays two symbols at the top of the page, one a red devil and the other a green smiley face wearing a halo. If the arrow is pointing to the green smiley face, which it usually is in these instances, that means VirusTotal’s experience leads them to classify the file as non-malicious. In the example screenshot below, even though the one “rogue” AV program (in this case, eGambit) itself claims to have 99 percent confidence that the file is malicious, none of the other 65 AV programs agree, and VirusTotal itself (as evidenced by the selected green smiley face) doesn’t agree.
Example Screenshot of VirusTotal Detailed Results
So why would I recommend a program that often has false-positives? First, it’s an inherent problem with VirusTotal and not Process Explorer. Usually the false-positives are cleared up in hours as the AV vendor does its research and clean-up. And if you can overlook the possible minor false-positives that are easy to rule out, there is no single antivirus engine that is anywhere near as accurate as VirusTotal. It may make some minor mistakes erring on the side of caution, but it more than makes up for it in detecting the stuff that many other AV misses. It uses the power of 67 different AV engines against malware writers. Your antivirus product may miss something, but VirusTotal doesn’t.
Sign up for CIO Asia eNewsletters.