/ FOOD FOR THOUGHTS

Should you trust VirusTotal results?

Popular articles

26 / 07 / 2016

Why you should think twice when use VirusTotal to scan your applications

We conducted the experiment by scanning MacKeeper pkg. file with 5 different services including VirusTotal, Metadefender, R.virscan, Virusscan.jotti and Nodistribute. You will be surprised with results.

Imagine that you are downloading a program from the official company website, trying to open it and suddenly see the alarm that the file is potentially dangerous or unwanted. Oftentimes security software vendors do not explain what they consider “potentially unwanted” to their customers, creating further confusion.

No anti-malware engine is perfect. With more than 390,000 new malicious programs emerging each day, it would be impossible for any single product to show guaranteed result 100% of the time. Even the online scanning services, which are supposed to show the unbiased scanning results, sometimes display mistaken detections, known as false positives.

Antivirus programs look at many different aspects of a file, including how it was installed on the system, publisher information, when it arrived, etc. Considering these aspects, some users can see detections even on clean files.

Unfortunately, Kromtech also experienced situations when some antiviruses falsely marked MacKeeper as a virus or a potentially unwanted application (PUA).

Why does it happen?

We conducted the experiment by scanning MacKeeper pkg. file with 5 different services including VirusTotal, Metadefender, R.virscan, Virusscan.jotti and Nodistribute. You will be surprised with results:

MacKeeper file has been scanned with 35 different antivirus software aggregated by Nodistribute and showed no detection results. According to Metadefender by OPSWAT, only 2 scan engines detected it as a threat. VirusTotal showed that 5 out of 54 antiviruses flagged the program.

All platforms demonstrated different scanning results, which means that there is no guarantee that the detection is correct. The engines integrated into scanning services are not exactly the same version you might use on a desktop or on a network perimeter, which might take different information into account to determine whether or not something is malicious or might be configured differently than the “defaults” a particular vendor provides for a given engine.

One thing, however, is sure, if most antiviruses don’t flag the file as malicious, then it is clean. If several antiviruses still mark it as virus, there is a high possibility that the file is a false positive.

What can you do in such case?

Submit the False Positive Report to the Security Software Vendor

As software developers we strongly advise you to submit a “false positive” report to the vendor. For large security software vendors it may take many false positive submissions before they are noticed and can invest their time and resources to investigate.

  • Go to the official website of your Security Software
  • Find the page where you can report a False Positive Detection
  • Otherwise contact the support department to find the submission form

Mark the file as 'do not scan'

After making sure that the program is clean though the vendor keeps detecting it as malicious, mark the file as 'do not scan'.