[NOT DEAL] virus scanning accuracy

[Piotr]

Using multi-engine online scanners we are getting from time to time positive results with malware warning.

It is always disturbing as it is hard arbitrary ignore them assuming most of scanners are saying it is ok it means ok...   But what if that one or  a few ones are right...

Well, there is something what can say a lot about accuracy some of those engines...

Not a regular method which grants 100% verification engine is ok as it has nothing to do with malware scan itself but it can say for sure points an engine is total ...

I did comparison scanning downloaded zip file from cableguys and unpacked it to scan with the same engines pure exe setup file...

Well, if engine is not able to provide consistent results in such tests it is worth nothing  of course... One can just pack infected with new or rare threat file and voila...

Here you are if you are interested in:

 

Edited November 22, 2020 by Piotr

[Matthew Sorrels]

Those three engines, Bkav, Cynet and Cybereason are all junk.  Honestly most of the engines are junk, but those guys get it wrong a lot more than most.

[Piotr]

5 hours ago, Matthew Sorrels said:

Those three engines, Bkav, Cynet and Cybereason are all junk.  Honestly most of the engines are junk, but those guys get it wrong a lot more than most.

Yep, there are also some engines proudly claimed to have AI support (of course lol ) which  I have also caught with similar embarrassing action... 

But anyway, there is a general rule... Even fool can be right from time to time. So even if they are trashes it doesn't mean they always will be losers... 

It is good to be aware about aspects of things... I am concerned with some of automatic reaction... People are used to answers like 'it must be false positive' without any procedures to actually verify it...   It will lead sooner or later to disaster like a few times in the past with very good known brands...

 

[antler]

31 minutes ago, Piotr said:

Even fool can be right from time to time.

Hold on to the questionable files for a month or two, and then scan again - the fool will either have been shown to be right (the others will also indicate the same result), or will have changed its mind. It doesn't even look like those three engines in the screenshot agree it's the same malware.

[Piotr]

1 hour ago, antler said:

Hold on to the questionable files for a month or two, and then scan again - the fool will either have been shown to be right (the others will also indicate the same result), or will have changed its mind. It doesn't even look like those three engines in the screenshot agree it's the same malware.

Yup, this is often used a way by me. Sometimes I am just skipping install not to be concerned at all (in case free software). I have zylion plugins so risk for a sake of satisfying GAS is not that huge dilemma.

 

[Finnbogi Ragnar Ragnarsson]

The best method to find false negatives, is to look at the type of purported infection.

For false negatives, you will find it usually based on patterns from the 90s  or early 2000s and the chance of infection is extremely thin.

A lot of engines are repackaged garbage, or even malware, made to milk you dry.

The reputable ones let you upload the "infected" file for analyzis, and give you answer in few hours.

Almost all active infections today will include rootkit infections, not all virus engines will find them, not even the good ones.

That's why I recommend to run online scan and anti-rootkit regularly.