Virustotal's Trusted Source project attempts to limit false positives

Martin Brinkmann
Feb 11, 2015
Security
|
8

Whenever I discover a new program I scan it first on the Virustotal website before running it on a local test system.

This initial virus check helps me determine whether an application is (likely) legitimate or not. It happens that one or some of the antivirus engines used by the service to scan files may return hits.

These hits are often false positives, especially if lesser known antivirus engines report them. There is still a level of uncertainty about those files.

False positives can have severe consequences. Think of a local antivirus solution that identifies core operating system files as a virus. It happened in the past that entire systems became unusable after false positives were detected by security software.

Virustotal, which is owned by Google, announced yesterday that it launched a Trusted Source project to reduce the number of false positive scans.

The general idea behind the project is to whitelist files maintained by major software companies such as Microsoft.

If one of the antivirus engines used during the scan reports a verified file as malicious, its parent company is informed about the fact in hopes that the issue is corrected shortly thereafter. In addition, trusted source files are specifically tagged when distributed to antivirus companies to avoid false positive detections as well.

Virustotal has modified the header on results pages to integrate trusted source information.

The main changes on the page are the new "trusted source" line that identifies the file as verified and the fact that the detection ratio shows 0 hits even though there may be some.

If you check this results page on Virustotal for instance and scroll down, you will see that the file has been reported as malicious by several antivirus engines. The detection ratio at the top on the other hand lists 0 hits.

Currently, only Microsoft files are listed as trusted sources. Virustotal plans to collaborate with other large software development companies to add their files to the trusted source catalog as well. The company did not define what it considers large but it stated that it won't accept applications from vendors who produce adware or potentially unwanted software.

Verdict

The trusted source project won't eliminate false positives completely, at least not in the first project state. It may however improve the reaction time of companies when their systems are detecting legitimate files as malicious.

It still comes down to individual vendors though. The user experience on the other hand is improved as trusted source file scans should no longer cause doubts about a file's legitimacy if false positives are detected.

This in fact could be a great opportunity for Nir Sofer to get all Nirsoft applications verified.

Summary
Virustotal attempts to reduce False Positive scan results
Article Name
Virustotal attempts to reduce False Positive scan results
Description
Virustotal just announced its trusted source project which attempts the impact of false positive virus scan results by cooperating with software developers.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Dwight Stegall said on February 13, 2015 at 3:58 am
    Reply

    AVG gave me a false positive yesterday on mrt.exe (Microsoft Removal Tool). :(

  2. Jeff said on February 13, 2015 at 12:51 am
    Reply

    Sounds like the old SignaCert product.

  3. Al McCann said on February 12, 2015 at 1:42 am
    Reply

    “TrustedSorce” is a registered trademark of McAfee / Intel.

    Wonder how they’ll feel about Google using it. It was owned by CipherTrust before McAfee purchased them.

    http://www.trustedsource.org/

    http://en.wikipedia.org/wiki/TrustedSource

  4. Pete said on February 11, 2015 at 5:48 pm
    Reply

    “The main changes on the page are the new “trusted source” line that identifies the file as verified and the fact that the detection ratio shows 0 hits even though there may be some.”

    Personally I think that this is horrible new development.

    And I have to confess that I was horrified to learn that VirusTotal is owned by Google. Shit. Alternatives?

    1. kalmly said on February 12, 2015 at 3:02 pm
      Reply

      I agree about it being a “horrible new development.” I was very confused the other day when I sent a file that showed 6 positives, but the ratio at the top of the page, showed 0. If I hadn’t scrolled down, I wouldn’t have noticed the discrepancy. (I never worry about 2 or 3 warnings, but 6 is a lot.)

      I was aware when Google took over and expected that they’d destroy it. I’m only surprised it took them so long.

      Thanks for the links, Martin.

    2. Martin Brinkmann said on February 11, 2015 at 6:24 pm
      Reply
  5. BKV said on February 11, 2015 at 5:13 pm
    Reply

    I’d also like it if all of Nir Sofer’s software gets verified. They’ve saved me a lot of hassle, quite a few times.
    Heck Windows Os’ should have been implementing some of them by default, as far as I’m concerned.

    1. Dwight Stegall said on February 13, 2015 at 3:59 am
      Reply

      I agree.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.