loadlibrary icon indicating copy to clipboard operation
loadlibrary copied to clipboard
verified publisher icon taviso

malware not detected, while it should

Open godfriedmeesters opened this issue 4 years ago • 4 comments

I scanned this malware https://www.virustotal.com/gui/file/368aa0130e25dce79ca54350dc3abb67536f8be75ea1a8f9a5ee39119b68b815/detection

I expected a true positive, however nothing seems to be detected:

/mpclient yitaly.exe
main(): Scanning yitaly.exe...
EngineScanCallback(): Scanning input

godfriedmeesters avatar Feb 03 '21 16:02 godfriedmeesters

Hmm, I think is because it's a PUA (Potentially Unwanted Application), rather than outright malicious. it seems like a I need to set a flag to get this reported.

I think I can do that, but should I have an option, like --include-pua, or just enable it by default?

taviso avatar Feb 03 '21 16:02 taviso

Hmm, I think is because it's a PUA (Potentially Unwanted Application), rather than outright malicious. it seems like a I need to set a flag to get this reported.

I think I can do that, but should I have an option, like --include-pua, or just enable it by default?

Hey could you add this option, so not by default?

godfriedmeesters avatar Feb 04 '21 10:02 godfriedmeesters

by the way using Windows Defender on Windows, Trojan:Win32/Vigorf.A has been detected. "This program is dangerous and executes commands from an attacker."

godfriedmeesters avatar Feb 04 '21 10:02 godfriedmeesters

@taviso yes definitely a flag and not by default. All AV vendors include such flags that are by default disabled.

The reason for that is not everyone is interested to block PUA as they trigger on many clean apps.

@godfriedmeesters Trojan:Win32/Vigorf.A is a cloud detection based on ML (It is not always a reliable detection).

ayoubfaouzi avatar Jun 08 '21 08:06 ayoubfaouzi