Virustotal's Trusted Source project attempts to limit false positives
Whenever I discover a new program I scan it first on the Virustotal website before running it on a local test system.
This initial virus check helps me determine whether an application is (likely) legitimate or not. It happens that one or some of the antivirus engines used by the service to scan files may return hits.
These hits are often false positives, especially if lesser known antivirus engines report them. There is still a level of uncertainty about those files.
False positives can have severe consequences. Think of a local antivirus solution that identifies core operating system files as a virus. It happened in the past that entire systems became unusable after false positives were detected by security software.
Virustotal, which is owned by Google, announced yesterday that it launched a Trusted Source project to reduce the number of false positive scans.
The general idea behind the project is to whitelist files maintained by major software companies such as Microsoft.
If one of the antivirus engines used during the scan reports a verified file as malicious, its parent company is informed about the fact in hopes that the issue is corrected shortly thereafter. In addition, trusted source files are specifically tagged when distributed to antivirus companies to avoid false positive detections as well.
Virustotal has modified the header on results pages to integrate trusted source information.
The main changes on the page are the new "trusted source" line that identifies the file as verified and the fact that the detection ratio shows 0 hits even though there may be some.
If you check this results page on Virustotal for instance and scroll down, you will see that the file has been reported as malicious by several antivirus engines. The detection ratio at the top on the other hand lists 0 hits.
Currently, only Microsoft files are listed as trusted sources. Virustotal plans to collaborate with other large software development companies to add their files to the trusted source catalog as well. The company did not define what it considers large but it stated that it won't accept applications from vendors who produce adware or potentially unwanted software.
The trusted source project won't eliminate false positives completely, at least not in the first project state. It may however improve the reaction time of companies when their systems are detecting legitimate files as malicious.
It still comes down to individual vendors though. The user experience on the other hand is improved as trusted source file scans should no longer cause doubts about a file's legitimacy if false positives are detected.
This in fact could be a great opportunity for Nir Sofer to get all Nirsoft applications verified.
I’d also like it if all of Nir Sofer’s software gets verified. They’ve saved me a lot of hassle, quite a few times.
Heck Windows Os’ should have been implementing some of them by default, as far as I’m concerned.
“The main changes on the page are the new “trusted source” line that identifies the file as verified and the fact that the detection ratio shows 0 hits even though there may be some.”
Personally I think that this is horrible new development.
And I have to confess that I was horrified to learn that VirusTotal is owned by Google. Shit. Alternatives?
I agree about it being a “horrible new development.” I was very confused the other day when I sent a file that showed 6 positives, but the ratio at the top of the page, showed 0. If I hadn’t scrolled down, I wouldn’t have noticed the discrepancy. (I never worry about 2 or 3 warnings, but 6 is a lot.)
I was aware when Google took over and expected that they’d destroy it. I’m only surprised it took them so long.
Thanks for the links, Martin.
“TrustedSorce” is a registered trademark of McAfee / Intel.
Wonder how they’ll feel about Google using it. It was owned by CipherTrust before McAfee purchased them.
Sounds like the old SignaCert product.
AVG gave me a false positive yesterday on mrt.exe (Microsoft Removal Tool). :(