9

I was looking at a popular file sharing app called Zapya and really liked it's functionality. I scanned the Windows executable ZapyaPC28Lite.exe, on two online virus scanners:

https://virusscan.jotti.org/en-US/filescanjob/8e462hjw1m

https://www.virustotal.com/gui/file/6210d10145358e05ea5e2852277a393c51a8dde8308f003e101a6efe7df84479/detection

The majority of engines report it's clean, but some report Trojan. What makes this further confusing is that on VirusTotal McAfee reports it as bad, but on MetaDefender, McAfee reports it as okay: https://i.imgur.com/2DY7r1F.jpg

(https://metadefender.opswat.com/results#!/file/39b75b9272d9a98df2fd2068bc0812e1/hash/multiscan)

How should I interpret these results?

I'm not asking for an analysis of this particular file, but general guidelines around: Identifying false positives? Determining which engines to pay more attention to?

Thanks.

get_going
  • 123
  • 1
  • 7
  • 1
    You have to judge yourself if the benefits of running that program outweigh the risks of it being malware. –  May 06 '20 at 11:01
  • 1
    Note that we will not inspect/analyse this specific file for you, but we can provide guidance on how to interpret the findings in general. – schroeder May 06 '20 at 11:08
  • schroeder, I made the post clear to indicate that I'm not asking for an analysis for this file. Thanks. – get_going May 06 '20 at 12:19
  • MechMK1, that's why I made the post. If there are some good criteria that can be used vs. naive intuition? – get_going May 06 '20 at 12:21
  • *"Determining which engines to pay more attention to?* It's not as simple as paying attention to the "good" engines. Imo, if you have doubts about it, then don't use it. From a quick glance at the virustotal report, the executable seems suspicious – Soutzikevich May 06 '20 at 12:48

3 Answers3

20

You need to check the exact description of the malware that was detected, because antivirus software nowadays doesn't just detect "viruses", but may also warn you about other kinds of software, like adware and riskware. If you look closely at the descriptions in your scan, you will notice, for example:

  • Clyance: Unsafe. They don't tell you it's a virus, trojan, etc., they tell you "unsafe".
  • Fortinet: Riskware/Funshion. Again, it's labeled "riskware", not anything more specific.
  • Comodo: ApplicUnwnt@#t95vgdillac6. Again, the label seems to say "Application Unwanted", not more specific malware.
  • McAfee: Artemis. Artemis apparently is what McAfee calls "unknowns" that are detected by its heuristic engine. This is probably stuff detected by the engine, but that it's not included in the malware database. Source: McAfee support community.
  • ESET-NOD32: A Variant Of Win32/FusionCore.AQ Potentially Unwanted. Note they say it's "potentially unwanted". Also, what's Win32/FusionCore? Google brings up several results from reputable sources that link that description to PUAs (Potentially Unwanted Applications), adware, or software with poor reputation.
  • Kaspersky and ZoneAlarm: Not-a-virus:HEUR:Downloader.Win32.Funshion.gen. Not-a-virus is what Kaspersky calls adware and riskware. They include P2P software in riskware. What is riskware? It's legitimate software that has potentially dangerous functionality, so you should be aware of it. P2P software is ok if you installed it, but not ok if a malicious agent installed it on your machine without your consent. So they decided to call it riskware. Source: Kaspersky, not a virus.

As you can see it's not enough to just rely on "detection". You also need to check who detected what, and look up some more details before you can decide if it's a real known threat, or if the scanners are just warning you. In this case, the most popular scanners seem to tell you it's not malware, but it's riskware, so you need to make sure you know what you are doing. Of course you also need to remember that malware scanners don't tell you for sure if a piece of software is malicious or not, but they just tell you if it is known to be malicious, or if it might be malicious because of its behavior and functionality. Does Zapya have a good reputation? Does it introduce huge security holes in your system? Can its developers be trusted? Malware scanners won't answer such questions.

reed
  • 15,398
  • 6
  • 43
  • 64
  • Excellent excellent description. You have a good way of explaining, really helped me understand the commonality between these detections (even though they appear different at surface). Also the difference between known vs unknow/heuristic - that was helpful. – get_going May 06 '20 at 15:09
  • Two followups. 1. If something is detected heuristically, can I assume that after some time passes and it's really harmful, then it would be categorized as known malware? 2. You posed 3 questions, what would be a good way for me to try to figure out the answers. – get_going May 06 '20 at 15:13
  • 2
    @get_going, yes, unknown malware is usually analyzed by security researchers and then it's going to get a specific label and better signatures for detection. I suppose the major security firms have been knowing about Zapya for some time, and they have decided to treat it as riskware. I guess it will never get labeled as malware, unless they discover that, for example, it has a backdoor or a keylogger embedded by default. Then they'd probably change the labels to something like Trojan/Backdoor, etc. – reed May 06 '20 at 21:18
  • 1
    @get_going, it is difficult to know if the devs can be trusted, if the company has a good reputation, if the code quality is good, etc. The answers to those questions are going to be subjective, unless you have a predefined method (like a security framework) for assessing that information. I personally prefer software that is pretty popular, well-established, and open-source. – reed May 06 '20 at 21:38
  • 1
    @get_going a good heuristic if you think about trusting software is to imagine the scenario if the software would do something bad. Is the publishing company of the software a real company, which could lose a lot of money, or which you could sue for publishing malware? If the company has an actual address, employees and apparent valid business model with a lot of customers, it will be less likely to distribute malware. – Falco May 07 '20 at 07:54
6

Sometimes engines will flag programs as viruses if the program or some part of the program is used in the payload of an actual virus. For example, programs made by PyInstaller are plagued by false positives due to viruses using it, even though the programs themselves are clean.

In your case, we can even see what might have caused this. If you go to the Relations page on VirusTotal and scroll down to the Execution Parents section, you can see that it is run by the Sality virus.

This might be the reason that those engines are detecting your file. If it is the only reason, then your file is probably safe to run. Then again, it might not be. It's up to you to decide whether you want to take that risk.

Nonny Moose
  • 161
  • 5
4

Interpreting output like this when you are not a technical expert can be difficult, especially when you get 13/70 engines reporting malicious behavior.

With uncertainty like this you can look at a few factors:

  1. the quality of the companies running the engine
  2. the type of behavior
  3. the community votes
  4. the risk you feel comfortable with

In this case, you have more than a couple of high-quality companies detecting malicious behavior, and a community member giving it a very low vote.

That says that it is likely bad.

But then you need to determine if the benefit you get from running the program outweighs these potential risks.

I've seen files where a little, unknown engine finds malicious behavior, but the rest detect nothing. Some scanners are better than others, some detect different things better and use different techniques to detect, so it is possible that not all engines will detect the same things.

And yes, it is possible to have false positives.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks. What makes it a bit confusing, is that on virustotal McAfee reports it as bad, but on Metadefender McAfee reports it as okay. Any thoughts here? I'll add the new detail in post. – get_going May 06 '20 at 12:32
  • 1
    It can depend on how the engine is set up, how the file is submitted, etc. etc. – schroeder May 06 '20 at 14:38