How to interpret virustotal, virusscan scan?

You need to check the exact description of the malware that was detected, because antivirus software nowadays doesn't just detect "viruses", but may also warn you about other kinds of software, like adware and riskware. If you look closely at the descriptions in your scan, you will notice, for example:

  • Clyance: Unsafe. They don't tell you it's a virus, trojan, etc., they tell you "unsafe".
  • Fortinet: Riskware/Funshion. Again, it's labeled "riskware", not anything more specific.
  • Comodo: ApplicUnwnt@#t95vgdillac6. Again, the label seems to say "Application Unwanted", not more specific malware.
  • McAfee: Artemis. Artemis apparently is what McAfee calls "unknowns" that are detected by its heuristic engine. This is probably stuff detected by the engine, but that it's not included in the malware database. Source: McAfee support community.
  • ESET-NOD32: A Variant Of Win32/FusionCore.AQ Potentially Unwanted. Note they say it's "potentially unwanted". Also, what's Win32/FusionCore? Google brings up several results from reputable sources that link that description to PUAs (Potentially Unwanted Applications), adware, or software with poor reputation.
  • Kaspersky and ZoneAlarm: Not-a-virus:HEUR:Downloader.Win32.Funshion.gen. Not-a-virus is what Kaspersky calls adware and riskware. They include P2P software in riskware. What is riskware? It's legitimate software that has potentially dangerous functionality, so you should be aware of it. P2P software is ok if you installed it, but not ok if a malicious agent installed it on your machine without your consent. So they decided to call it riskware. Source: Kaspersky, not a virus.

As you can see it's not enough to just rely on "detection". You also need to check who detected what, and look up some more details before you can decide if it's a real known threat, or if the scanners are just warning you. In this case, the most popular scanners seem to tell you it's not malware, but it's riskware, so you need to make sure you know what you are doing. Of course you also need to remember that malware scanners don't tell you for sure if a piece of software is malicious or not, but they just tell you if it is known to be malicious, or if it might be malicious because of its behavior and functionality. Does Zapya have a good reputation? Does it introduce huge security holes in your system? Can its developers be trusted? Malware scanners won't answer such questions.


Sometimes engines will flag programs as viruses if the program or some part of the program is used in the payload of an actual virus. For example, programs made by PyInstaller are plagued by false positives due to viruses using it, even though the programs themselves are clean.

In your case, we can even see what might have caused this. If you go to the Relations page on VirusTotal and scroll down to the Execution Parents section, you can see that it is run by the Sality virus.

This might be the reason that those engines are detecting your file. If it is the only reason, then your file is probably safe to run. Then again, it might not be. It's up to you to decide whether you want to take that risk.


Interpreting output like this when you are not a technical expert can be difficult, especially when you get 13/70 engines reporting malicious behavior.

With uncertainty like this you can look at a few factors:

  1. the quality of the companies running the engine
  2. the type of behavior
  3. the community votes
  4. the risk you feel comfortable with

In this case, you have more than a couple of high-quality companies detecting malicious behavior, and a community member giving it a very low vote.

That says that it is likely bad.

But then you need to determine if the benefit you get from running the program outweighs these potential risks.

I've seen files where a little, unknown engine finds malicious behavior, but the rest detect nothing. Some scanners are better than others, some detect different things better and use different techniques to detect, so it is possible that not all engines will detect the same things.

And yes, it is possible to have false positives.

Tags:

Virus

Malware

Trojan

Related

Risks of Long-life Session Is it possible to store / record HTTPS client auth traffic as a signed document? Does the saying "physical access = game over" apply to smartphones, too? Where to store private and public keys? As a company, how can we prevent penetration testers from compromising our system? After changing Microsoft password, one can still login to previously authenticated Windows devices with old password indefinitely. Why? Should I be using ECDSA keys instead of RSA? How secure is this hash-based personal password scheme? Are password managers more secure than a slightly different password for each website? Security risks of fetching user-supplied URLs Can the Host Header be used to hide the existence of a service? How do unzip programs check if the password is correct?

Recent Posts