Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to detect malware infection in 9 easy steps

Roger A. Grimes | Oct. 26, 2017
Hey Windows users: Here's how to get the incredible power of 67 antivirus engines with no performance impact on your computer

Example of Process Explorer and VirusTotal Ratios

As you've probably guessed, the displayed VirusTotal ratio indicates how many antivirus engines at VirusTotal reported the submitted executable (hash) as malicious. Currently, the list of antivirus engines is 67, but it goes up and down all the time. I’m not sure why some executables are inspected by all of the antivirus engines and not others, but regardless of the denominator (lower number), if the numerator (above the line) is greater than zero you could have malware.

If it says 1/57 or 2/57, however, it probably isn’t malware, but a false positive instead. On the other hand, I've seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If not, it could be malicious. But in general, if the numerator is 1, I usually relax. If it’s 2, I investigate a little bit more. But even most of the 2s end up being false-positives. The next screenshot shows examples of two false-positives, both related to the legitimate vendor, Winzip Computing.

 

Example of VirusTotal False-Positives

virustotal results 

If you are not sure, simply click on the reported ratio, and it will take you to the VirusTotal page showing which AV engines did and didn’t report it as malware. VirusTotal also displays two symbols at the top of the page, one a red devil and the other a green smiley face wearing a halo. If the arrow is pointing to the green smiley face, which it usually is in these instances, that means VirusTotal’s experience leads them to classify the file as non-malicious. In the example screenshot below, even though the one “rogue” AV program (in this case, eGambit) itself claims to have 99 percent confidence that the file is malicious, none of the other 65 AV programs agree, and VirusTotal itself (as evidenced by the selected green smiley face) doesn’t agree.

Example Screenshot of VirusTotal Detailed Results

So why would I recommend a program that often has false-positives? First, it’s an inherent problem with VirusTotal and not Process Explorer. Usually the false-positives are cleared up in hours as the AV vendor does its research and clean-up. And if you can overlook the possible minor false-positives that are easy to rule out, there is no single antivirus engine that is anywhere near as accurate as VirusTotal. It may make some minor mistakes erring on the side of caution, but it more than makes up for it in detecting the stuff that many other AV misses. It uses the power of 67 different AV engines against malware writers. Your antivirus product may miss something, but VirusTotal doesn’t.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.