Skip to main content

View Post [edit]

Poster: Der AppleSeed Date: Mar 8, 2024 2:55pm
Forum: software Subject: false positive (again,, and again)

Today, uploaded to archive.org, upload was deleted due to claimed malware.

These files were extracted from an ISO that already exists on archive.org servers.

https://www.virustotal.com/gui/file/7e26f3fc3003d0cdbe1e0b90b8ff04a4f300341eb9b709e59e6d3c1346296b91/detection/f-7e26f3fc3003d0cdbe1e0b90b8ff04a4f300341eb9b709e59e6d3c1346296b91-1709921720

Please look at the vendors who reported:

Arcabit Trojan.Heur.FU.EC48DA
BitDefender Gen:Trojan.Heur.FU.cG1@aG1lh@mi
BitDefenderTheta AI:Packer.F325D7621F
Emsisoft Gen:Trojan.Heur.FU.cG1@aG1lh@mi (B)
GData Gen:Trojan.Heur.FU.cG1@aG1lh@mi
Malwarebytes MachineLearning/Anomalous.100%
MAX Malware (ai Score=88)
Trellix (FireEye) Gen:Trojan.Heur.FU.cG1@aG1lh@mi
VBA32 BScope.Trojan.FakeAlert
VIPRE Gen:Trojan.Heur.FU.cG1@aG1lh@mi

Heuristic, heuristic, heuristic, etc.
Most of those vendors weren't even around when the files were created to even build a heuristic dataset.

IOW, they are pulling turds out of their butts.

These vendors - at least the many shoddy ones - do not see their job as finding malware. They see their job is to sell product. And the more often the cry wolf, and the less capale their product is, the more the uninformed will quiver and buy their junk.

archive.org prides itself in maintaining a well-disciplined, vast, and permanent repository. Using this current method does more harm than good, imo.

Like so many others, I perform due diligence to verify file authenticity, it's history, and record relevant information. It is painful to see work tossed aside, knowing that I'm not doing it for any other reason than to help preserve our history.

Thanks for reading.

Reply [edit]

Poster: Der AppleSeed Date: Mar 8, 2024 3:41pm
Forum: software Subject: Re: false positive (again,, and again)

Same file, same sha256, and a plethora of vendors, and resutts - CLEAN.

https://www.hybrid-analysis.com/sample/7e26f3fc3003d0cdbe1e0b90b8ff04a4f300341eb9b709e59e6d3c1346296b91

Reply [edit]

Poster: Jeff Kaplan Date: Mar 14, 2024 7:57pm
Forum: software Subject: Re: false positive (again,, and again)

restored.

Reply [edit]

Poster: Der AppleSeed Date: Mar 15, 2024 7:54am
Forum: software Subject: Re: false positive (again,, and again)

Thank you Jeff.
This post was modified by Der AppleSeed on 2024-03-15 14:54:10

Reply [edit]

Poster: USA DAVEY Date: Mar 14, 2024 6:04am
Forum: software Subject: Re: false positive (again,, and again)

This is getting more annoying by the day. You can circumvent scans by making TAR or ISO files from your uploads, other ideas are very welcome.

Reply [edit]

Poster: Der AppleSeed Date: Mar 15, 2024 7:26am
Forum: software Subject: Re: false positive (again,, and again)

MY experience: IF the file - whether ISO or Zip, etc, is larger than 500mb, it is not accepted for scanning by virustotal.

Also: as I may have already said, hybrid-analysis.com, filters out heuristic flags and results of the bottom feeder so-called "anti-virus: apps.

VirusTotal (it seems to me) has become little more than a shill for these deplorable vendors, nullifying its efficacy as a useful tool for archive.org.

I get it: I understand archive.org's interest in keeping malware out of its vast repository.

That said, often, the baby is getting thrown out with the wash.

Also noted by mine and reported similar issues from other users - these "false-positives seem to be heavily weighted against Microsoft products specifically, and games generally.

My only thought is that archive.org could develop its own in house method, or perhaps come to an arrangement with hybrid-analysis.com.