Hi:
I have been noticing in the last weeks that most new and updated apps contain viruses and trojans that range from 1 to 3 in number according to Virus Total. For example the new Krita with HW32.Packed.DF66 virus. This has been happening lately and makes me loose a long time, not only because now I don't want to trust PortableApps anymore (a user for years), which forces me to use Virus Total with every app I downloaded from this site and wait for the results --and we know how long we have to wait for every scan--, but because I delete the download and re-download the app each with a new scan. You can test yourselves and confirm. Foxit, Stikies, Skype, just to name a few. Please do something soon since PortableApps.com has been one of the most trusted sites for years.
Note: This is not a post to complain or criticize. I just want to add a contribution to the quality and high standard for which this site is known worldwide.
Leoram
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
Virus Total includes a few lower quality antivirus scanners. Things like Bkav and Qihoo will have false positives all the time. Always with generic listings such as " HW32.Packed.FC0C ". This just means that the installer is compressed to save space. Literally, that's all it means. Additionally, McAfee-GW-Edition is apparently flagging every single app as " BehavesLike.Win32.Expiro.vc " or similar if it is compiled with NSIS3. It's a systemic problem on their end and not something we can fix on ours.
Remember, 3 listings in Virus Total means those are false positives. Infected files look like this: https://www.virustotal.com/en/file/65fdb5d460b079279a4afcb45671b4ec4d7a2...
Sometimes, the impossible can become possible, if you're awesome!
John:
I understand your point, but the problem with your analysis --which I plan to further consider after some deeper investigation-- is that the user has no means to evaluate what is "false positive" and what is not. For instance, I have seen a listing with a singe hit in red like this: arg.lead.trojan-k345. As you may understand, from a user's point, the section trojan in the name sounds a bit intimidating. So the common sense is not to take the risk and refrain from installing.
One interesting detail to consider is: I have realized that the same app from PortableApps that one day is flagged by VirusTotal as having some sort of malwares, scanning another release of the same app some time after can get a zero hit. How come? I have resorted to the unusual practice of waiting for another version which is a loss of time and possible not necessary. I am confused :(
Leoram
A typical end user is using their antivirus on their computer to automatically monitor all files as they should be. Generally this means Windows Defender, Symantec's Norton Antivirus, Mcafee, AntiVir, AVG, or similar. You'll note that none of them have these issues with false positives on any of the files you've mentioned. VirusTotal is not meant to be used as your primary scanner. It's meant to be a double-check on it. And it's meant to be used by advanced users that understand what false positives are. Typical end-users have never even heard of VirusTotal. It's also meant to be used by publishers to scan software about to be released to ensure that none of the major legitimate engines have a false positive. We don't bother reporting false positives to scanners like Bkav because they have false positives on every single file we test, so they're basically useless. It would be a full time job to try to report all their issues to them. They seem to ignore false positive reports in English anyway (they're a Vietnamese company).
The reason that sometimes a file will show a false positive by an antivirus and then the next day show as clean is because the antivirus companies update their definitions daily. So, they might screw up on a given file and then have to fix their issue the next day. Or their (generally horrible) heuristic portion of their scanner may flag a file as a generic malware possibility one day and they get enough user reports and complaints that they manually whitelist the file in their definitions update 2 days later. In short, Windows antivirus is highly imperfect when it comes to "possible" threats, so you'll get all kinds of generic "packed" or "heuristic" alerts on one or two antivirus engines on VirusTotal all the time.
The bottom line is that anytime you get a few alerts on a file but 30+ engines (including *all* the major legitimate ones) showing as clean, you absolutely know it is a false positive. An actual infected file or installer will look like that link I showed you above with line after line of red infected alerts with them often showing the same kind of infection on each.
It's also important to keep in mind that VirusTotal doesn't even match the real version of a given antivirus. VirusTotal will often have a file flagged on its web version when the standard installed commercial version of the engine will correctly show it as clean. From their FAQ:
Sometimes, the impossible can become possible, if you're awesome!
John: Your last post is highly enlightening. Now I'm clearer on this subject. It is a succinct, well written guidance on this matter. I personally have not found a better explanation on the strength and weakness of VirusTotal and its underlying set of engines. This comment, I mean your reply, could be considered a good candidate for pinning on top in the forum. Just a suggestion.
Thank you very much.
Leoram
You're welcome.
Since VirusTotal was broken for 3 days, I started looking into alternatives. Metadefender is my favorite so far. Check it out here: https://www.metadefender.com/
It doesn't use beta or problematic settings like VirusTotal does, so you don't see false positives in the web version that won't occur for actual end users as often. It also doesn't use some of the lesser engines like Qihoo. I've pulled VirusTotal from our recommended multi-scanner list due to poor performance, poor availability, and poor results due to bad engine settings.
Sometimes, the impossible can become possible, if you're awesome!