Go Back   Web User Forums > Security > Malware Removal Help & Analysis

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 24-05-18, 16:16
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,002
Default Suspect Files

Hi all
I don’t often ask questions in this forum, but if a file is offered for download and the downloaded file has these results when folders within that ‘File’ are checked with VirusTotal:

https://www.virustotal.com/#/file/47...4831/detection

https://www.virustotal.com/#/file/81...c633/detection

https://www.virustotal.com/#/file/a1...1965/detection

. . . . is it advisable for anyone, especially those that aren’t security wise, to download the ‘file’?
If the results of the folder were known before hand, would anyone actually go a head with the download and trust the file(s) as being safe?
  #2  
Old 25-05-18, 10:29
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 2,950
Default Re: Suspect Files

Hello Moonshine,

In the current day and age any software that you d/l has the ability to carry hidden unwanted extras, especially free or pirated software.
Anything I personally d/l I do to a sandboxed environment, that is where I check out the d/l before allowing it onto my system.
I use Sandboxie, https://www.sandboxie.com/DownloadSandboxie
My download folder is in a sandbox environment, also my default Browser (Firefox) is also run in a sandbox environment.

Which software were you referring to...?

Thank you,

Kevin..
  #3  
Old 25-05-18, 11:27
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,002
Default Re: Suspect Files

Hi Kevin – thanks for getting back to me.

The files I’m referring are available via this website:

https://pcriver.com/operating-system...-download.html

. . . . an actual download link URL being:

http://downloadwins.xyz/download/Win_XP_32Bit_Pro.zip

I have tried to advise the person who is encouraging people to use this type of site and download(s) to be cautious in doing so, especially as the downloads are not being tested first by that person.
After getting expected warnings from my security to be aware of the website and it's potential content, I downloaded and tested the files (I use a VM with my preferred security installed within the VM) and have installed the software/OS (ISOs) and tested them within the VM to see what it/they entail. I scan the contents of an ISO container and not just the ISO ‘shell’.
I appreciate that any malware within the container will broadly speaking lay dormant until the ISO is opened up and the files are used/extracted or burned to disc.
Three flagged up files prompted me to use VirusTotal to further check the files with the result shown above in the VT report.
The results may well be an actual false positive (results deliberately shown as malicious to stop folks using them).
I appreciate that a Sandbox & VM are two different technologies/environments and the advantage of using a VM is that software can be ran as if it was on a real machine, operating systems being an example.

I believe I’m doing the right thing in warning the person, and persisting to do so, even when that person insists that the websites which host these ‘files/ISOs’ are perfectly OK to use because his security says they are and the ‘files/ISOs’ that are actually downloaded are OK, again because his security say so.
Do you think I’m right to warn this person that he is being irresponsible and likely to get someone/people eventually ‘burned’ by this cavalier attitude especially when no tests are done on the downloaded files/ISOs first before offering them to the public?

You advice will be greatly appreciated.
  #4  
Old 25-05-18, 21:07
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 2,950
Default Re: Suspect Files

Hiya Moonshine,

Yes I believe you are correct warning the guy concerned, I would not think the findings are FP`s, too many hits for that.
I use a VM myself, I have all versions of windows from 98 through to Windows 10.
When fixing infected PC`s it always helpful to have similar OS`s available so you are aware of what should be happening as opposed to what info you are reading from diagnostic logs..
I`m away from home this weekend so will not be online much. I believe you are very well clued up with Windows and do not need any advice/help from me, keep up the good work....

Regards,

Kevin...
  #5  
Old 25-05-18, 21:55
Cantrel Cantrel is offline
Global Moderator
 
Join Date: Jul 2012
Location: UK
Posts: 10,881
Default Re: Suspect Files

He's talking about me, Kevin.

I downloaded first and from that web page which Norton Toolbar said was safe.

This is the URL in question and I downloaded the 32bit ISO and created a boot disk - https://pcriver.com/operating-system...-download.html

I've ran a scan on the extracted ISO with Norton Security and mrt.exe.

A scan overall with the free MBAM and the ESET Free Online Scanner.

mrt.exe was the only one that found one infected file but did not list it in its report.

Scooby has downloaded the ISO from there on a Win 8.1 machine without getting any alerts either to the web page or the ISO download.

He has since done a clean install with the ISO and I've asked him to run a scan with the free version of MBAM to see if it picks up anything untoward.

I don't have a VM so was unable to fully check out the install, but having downloaded from there onto my laptop without any alerts, I trusted my Norton Security which is usually pretty keen on bad websites and downloads that it appeared safe to me.

From the checks that Moonshine has linked, there are quite a few reputable AV programs which gave it a green light.
  #6  
Old 26-05-18, 00:34
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,002
Default Re: Suspect Files

I can’t believe you are trying to get Kevin, the forum malware expert, to justify your decision to point total strangers, in a family forum, to websites that offer links to potentially malicious/dangerous downloads and pirated/hacked software without forewarning readers first as to what the consequences might be for ‘them’.

If those that have downloaded and used your recommendations happen to have been lucky on this occasion, I guess that’s your excuse to continue to recommend these places in the future.
It’s just a matter of time before someone gets burned, but you know that, because I have mentioned that to you and you don’t appear to be concerned at all with that eventuality.

What on Earth is happening to these forums?
Closed Thread

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Search the forum

Search

© Dennis Publishing Limited Licensed by Felden





All times are GMT. The time now is 09:36.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved