Question About False Positives

Discussion in 'Application Software' started by HelpMe, Jun 13, 2010.

  1. HelpMe

    HelpMe MDL Junior Member

    Jul 30, 2009
    91
    7
    0
    Hi all, i got a question regarding False Positives. How does one actually test and find out whether a certain file is actually safe or has malicious intent? Like i know if you download a file and scan it or say run it through Virustotal and say it comes out 10/40 etc and then a few people around will say it is a false positive and the file is clean, but how is it actually tested too prove it is really clean? Or what steps can be be taken too prove that the file is actually harmless?
     
  2. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,855
    1,051
    60
    Its very hard to tell these days most of the time your probably going to have to ask the developer or a person that has used the said file before...
    Another way is to play with the said file in Sandboxie (x86 or x64)....
    Good question thou +1
     
  3. HelpMe

    HelpMe MDL Junior Member

    Jul 30, 2009
    91
    7
    0
    Yes, i always run the files in a sandbox first and see what it does, but since i don't really know what too look for it is hard to know whether it is actually doing anything harmful or not also, some files are not possible to get working in a sandbox. Most of the time when i do run any file in the sandbox i will deny it internet access and check the processes being active, but it would be interesting too know what too look for, so it would be great if any experts or someone with more knowledge in this field could try to explain some of there methods on how to determine whether a file is safe or not.
     
  4. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,818
    90
    I'm almost sure there exist programs that keep track of everything an exe does. So you select an exe and run it, and then it logs everything the process of that exe does, like writing to files, registry, every change it makes to other things than itself. Or I think you can also disassemble the file with programs like ida disasembler.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. applegate

    applegate MDL Member

    Aug 1, 2009
    226
    51
    10
    #5 applegate, Jun 13, 2010
    Last edited: Jun 13, 2010
    I only use the links or files provided through MDL or do CRC checks provided by the orginal software builder like M$.

    Ofcourse no guarantee on loaders etc.., but MLD is very much, i think, a selfcontrolling communitee and the source of many good things.

    Any MDL member try to do wrong will hopefully get his ass kicked.

    Otherwise make sure you have legitimate software.
     
  6. HelpMe

    HelpMe MDL Junior Member

    Jul 30, 2009
    91
    7
    0
    Ok, i would just like to clear up a few things. First off, i think this is a great community full of dedicated and smart people working together to try and make life more simple and enjoyable and there is no doubt in my mind that they have any intentions of creating or unleashing anything harmful.

    However, this post is more about being educational and trying to understand and learn about the methods or ways of being able to detect whether a file was harmless or not. Which, i think in the long run if more people were easily able to understand and detect whether a file was clean or not, it could be more beneficial to the population as a whole. Also there will be times when a file is not available at MDL and only offered else where and having this knowledge of being able to determine whether a file was safe or not would come in handy.
     
  7. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,818
    90
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. NoJuan999

    NoJuan999 Experienced SLIC Tool Operator

    Jul 31, 2009
    9,918
    1,935
    300
  9. inkmon

    inkmon MDL Novice

    Jul 16, 2010
    12
    0
    0
    I create programs in both Autohotkey and Rapidq. From time to time someone complains that their antivirus system complains that they are viruses. I use the IPX compiler a Open Source one and Rapidq's own compiler. If in doubt offer to send a copy of the file to the antivirus company. I am waiting for one of them like Norton, Avanti or AVG to complain about a Microsoft product. Imagine a antivirus product claiming that Win 7 is a virus. Oh happy days should that happen. Justice will be served.
    99% of the producers of software are very careful not to have there ware currupted. I use AVG as I believe they get there sums right. I recomend them as security and the one I use.