11/11/2023 0 Comments System internals process explorer![]() Roger Grimes/IDGĮxample Screenshot of VirusTotal Detailed Results In the example screenshot below, even though the one “rogue” AV program (in this case, eGambit) itself claims to have 99 percent confidence that the file is malicious, none of the other 65 AV programs agree, and VirusTotal itself (as evidenced by the selected green smiley face) doesn’t agree. If the arrow is pointing to the green smiley face, which it usually is in these instances, that means VirusTotal’s experience leads them to classify the file as non-malicious. VirusTotal also displays two symbols at the top of the page, one a red devil and the other a green smiley face wearing a halo. If you are not sure, simply click on the reported ratio, and it will take you to the VirusTotal page showing which AV engines did and didn’t report it as malware. The next screenshot shows examples of two false-positives, both related to the legitimate vendor, Winzip Computing. But even most of the 2s end up being false-positives. If it’s 2, I investigate a little bit more. But in general, if the numerator is 1, I usually relax. On the other hand, I’ve seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If it says 1/57 or 2/57, however, it probably isn’t malware, but a false positive instead. I’m not sure why some executables are inspected by all of the antivirus engines and not others, but regardless of the denominator (lower number), if the numerator (above the line) is greater than zero you could have malware. Currently, the list of antivirus engines is 67, but it goes up and down all the time. It will either say Hash Submitted (during the first few seconds) or give you a ratio, something like 0/67, 1/67/ 14/66, and so on.Įxample of Process Explorer and VirusTotal RatiosĪs you’ve probably guessed, the displayed VirusTotal ratio indicates how many antivirus engines at VirusTotal reported the submitted executable (hash) as malicious. In Process Explorer, you’ll see a column labeled Virus Total.You can close the VirusTotal website that comes up and go back to Process Explorer. You’ll get a message to accept the license answer Yes. This will submit all running executables to the VirusTotal website, which is run and maintained by Google.Select the Options menu at the top of the screen. Run Process Explorer first (I’ll explain Autoruns later).Right-click and run the program executable as Administrator, so it’s running in the Administrator’s security context.If using Autoruns, use autoruns.exe (autorunsc.exe is the command-line version). If using Process Explorer, use procexp.exe. Both are free, as is everything on the site. Download Process Explorer and Autoruns.Make sure your computer has an active connection to the internet.“Antimalware” is more accurate and is my preferred term, but since the world knows it as “antivirus”, that’s the term I’ll be using here.) (Note that while “antivirus” isn’t exactly a misnomer, it’s also not the most precise term for this type of software since computer viruses make up a very small percentage of detections these days. It’s especially annoying when this software clobbers performance in exchange for “protecting” the user. It’s not uncommon for me to find dozens of infections, each doing its best to pester the user into installing multiple bogus antivirus programs or, worse, getting ready to lock up data in a ransomware attack.Īll these users justifiably complain that their antivirus (AV) program is inaccurate and misses obvious malware that pops up in front of their eyes. ![]() Hardly a week goes by when I’m not cleaning up someone’s computer and detecting and eradicating malware. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |