Hello everybody.
I purchased an antivirus program from the official Norton website for my mac. I uploaded the downloaded installation file (install_n360.dmg) to online Virustotal to check for viruses. 1 of 62 scanner said that it contained a Trojan called wacatac. How can that be?
Best regards
Hello @mikex
What is install_n360.dmg file checksum?
Care to share VirusTotal page link.
[you may need to space page address to break link]
-------------------------------------------------------------
----------------------------------------------------------
AI Overview
VirusTotal engines are often more aggressive or sensitive than their desktop counterparts for several reasons. This can result in a legitimate file receiving multiple flags on VirusTotal, which can be misleading if the user is not aware of the context.
Reasons for higher detection rates on VirusTotal
Different configurations: Antivirus vendors often configure their command-line engines specifically for VirusTotal with more aggressive settings. This can include stronger heuristics, beta signatures, and cloud-based analysis interactions that are not enabled by default in consumer desktop versions.
Perimeter vs. desktop solutions: Some vendors contribute “perimeter-oriented” solutions to VirusTotal. These engines are designed for network-level scanning and are intentionally more paranoid because a false positive is less disruptive at the network edge than on an individual user’s machine. This contrasts with “desktop-oriented” solutions, which are configured to be less aggressive to avoid constant false positives that would annoy users.
Emphasis on maximum detection: A primary goal of VirusTotal is to help antivirus labs by forwarding malware they fail to detect. To serve this purpose, the engines are optimized to catch suspicious files, even if it means a higher chance of false positives.
Training and improvement: Vendors may use more aggressive heuristics on VirusTotal to train and improve their detection components over time. Exposing these engines to a broader range of both clean and malicious files helps refine their detection models.
AI and heuristic detections: Aggressive detection often relies on heuristics, which look for suspicious behaviors and code patterns rather than known signatures. These detections may use generic terms like “Trojan.Agent” or “Gen,” and can frequently be false positives, especially for new or unsigned files.
How to interpret VirusTotal results
The higher aggressiveness of VirusTotal engines means that users should not treat a handful of positive results as a definitive verdict. Instead, a more contextual approach is necessary.
Focus on reputable vendors: Give more weight to detection results from a consensus of well-known and respected security vendors. If only one or two obscure engines flag a file, it’s more likely to be a false positive.
Look for behavioral analysis: Beyond the simple engine verdicts, check the Behavior tab in the VirusTotal report. This shows how the file executes in a sandboxed environment and can reveal specific malicious actions, providing more concrete evidence than heuristic flags.
Consider community context: VirusTotal’s community section can provide helpful context from other users and analysts. Users can add comments and discuss specific files.
Understand false positives: A file flagged by generic or heuristic terms (e.g., “AI,” “GENERIC”) is more likely to be a false positive. Legitimate software, especially if it is new or unsigned, can sometimes get flagged by overly aggressive heuristics.
Do not rely on VirusTotal alone: VirusTotal should be one part of a broader security analysis. Because it relies primarily on static analysis (examining the file’s code) and vendors may not provide their full desktop engine capabilities, it’s not a foolproof guarantee of safety.
---------------------------------------------------
A 1/62 detection on VirusTotal does not automatically mean it’s a false positive, but it suggests a high probability of a false positive, as the file was only flagged by one out of sixty-two antivirus engines. You should consider the type of detection, the reputation of the flagging vendor, and whether the file’s expected behavior aligns with the detection’s category to determine if it is a false positive.
Factors to consider to assess a potential false positive:
Detection Quantity vs. Quality:
A low number of detections is a strong indicator of a false positive, especially if many of the scanning engines are known for being overly aggressive with heuristic or behavioral detection methods.
Vendor Reputation:
Investigate the vendor that flagged the file. A detection from a less-known or more aggressive vendor might be more likely to be a false positive.
Detection Type:
Generic “heuristic,” “AI,” or “unclassified” detections are often false positives. A specific “Trojan” or “Worm” detection from a reputable source is more serious.
File’s Purpose and Behavior:
Consider if the file’s expected function aligns with the flagged malware type. For example, if the file is an installer, it might exhibit behaviors that some engines incorrectly flag as malicious.
Source and Context:
If you obtained the file from a reputable source, the detection is more likely a false positive. If you downloaded it from an unknown or untrustworthy website, proceed with caution.
What to do if you suspect a false positive:
Report it:
Submit the file to VirusTotal and notify the company producing the erroneous detection directly.
Whitelist (with caution):
If you are 100% sure the file is safe, you can whitelist it in your antivirus software.
Check with the Vendor:
Contact the antivirus vendor that flagged the file to confirm the detection.
Research further:
Search online for other users’ experiences with the same file or software.
AI responses may include mistakes.
Hi, here is the link
ht tps://www.viru sto tal .co m/gui/fil e/e1025bae652537 527534b42b36d34e9484fb97c0173e0f3b5e8bc27b8b0a1162/detection
Please remove the spaces to have the link, was not possible to send, normally
Please take also a look at the screenshot I uploaded.
Thanks
1 Like
https://www.virustotal.com/gui/file/e1025bae652537527534b42b36d34e9484fb97c0173e0f3b5e8bc27b8b0a1162/detection
ok, thanks. How is that possible, Microsoft is not named as an engine anymore and we have now 61 engines than 62 before?
Is it safe to install that file?
1 Like
I’ll say…it’s possible due to…very new sample.
VirusTotal engines are often more aggressive or sensitive […] here
what was download source?
Hello @mikex
Did your current device security detect download or static scan against sample detect malware?
As you’re concerned…wait 24 hours and re-check VirusTotal.
I’ll say…safe to install.
VirusTotal engines are often more aggressive or sensitive […] here
no, my current device didn’t have a security check, Virus check or download check. I tried it on my own. Every time I install something on my device, I check it first on virustotal. Thanks for your help.
1 Like
me too…as a second opinion
1 Like