I don't know if you saw that in my article about the GiPo@FileUtilities, some readers noted that Symantec Endpoint triggered an alarm when they installed the tool. AVG Anti-Virus, the AV software I use at the moment, had no complaints though. Thus I was uncertain if this was just a false-positive. Most anti-virus tools use heuristics to detect viruses for which there are no signatures yet available. Many viruses share specific characteristics which can be detected with rules-of-thumb.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
One reader uploaded GiPo@FileUtilities to Virustotal to clarify things. I must admit I didn't know about this useful free service, so perhaps you don't know about it either. Virustotal uses 38 different malware scan engines to analyze the files you send them. There are many well-known brands among these such as Trend Micro, Symantec, F-Secure, or Sophos.
Virustotal only requires a few seconds to analyze a suspicious file. It then presents a list of the outputs of each scan engine. I was somewhat surprised that 50% of the antivirus tools identified a Trojan inside the GiPo@FileUtilities installation file. They don't all detect the same Trojan, although at least they use different names. It is possible that a virus tool kit was used to compile the setup file.
On the other hand, the GiPo@FileUtilities perform file system manipulations that are typical for malware. Hence, I was still not convinced that this was not a false positive. In the same article Petr mentioned that the antivirus software vendor EST identified it as a false positive, even though Virustotal reports that their scan engine NOD32 also classified GiPo@FileUtilities as suspicious.
This just reaffirms my view that heuristics in antivirus software are quite unreliable. Therefore, I recommend using the Virustotal service if your AV software detected a virus in your network using its heuristics algorithms. However, this case demonstrates that even if several different scan engines claim to have detected a virus, you can't be really sure. If you are uncertain if your network really has been infected, you should send the suspicious files to your antivirus software vendor.
Hi!
On the Network is much more web service like Virustotal, e.g. virusscan.jotti.org or virscan.org.
P.s. Best regards from Poland. Your’s site is very helpful for me (and I suppose not only for me…). 🙂
Amandi, thanks for the tips and greetings to Poland. 🙂
We were regularly using this site while we troubleshoot the virus related issues. This was very helpfull when the antivirus were not detecting it even after scanning it we were able to find a fake files. Sometimes there are fake files for svchost.exe
better yet, if your file is rather large and would take a long time to upload, you can do a md5 of it then search against the md5 hash in virustotal. Chances are someone else has uploaded the same file before.
William, thanks. This is indeed useful.
Renjith, yeah svchost.exe makes it is often difficult to find the real culprit.