Virus Total alerts

[robozb]

I'd like to inform you about this:
https://www.virustotal.com/gui/file/d33327624264635d650157a05a3e5710b2e6bae5cea8a8b181ecb6e3601d48f6

[robozb]

Other belonging file:
18e4d217e5f750735996e5a804147e710e8ff541cec8ef88223afcfb60c18e40

[divixkooo]

which files you send to review?

[SPIKEYPUP]

@robozb

I know this is a dead thread, however I thought it would be helpful to offer some insight on interpreting VirusTotal results.

TLDR: You don't need to worry about those scan results. They are false positives.

Max Secure is awful, in my honest opinion. Max Secure labels anything with basic access and modules as susgen...all the time, for so many things. Then there is Secure Age, which is obscure and low on my totem pole of security vendors, so I take both their analyses with a metric ton of salt. Cynet's method also is causing a false positive, the PasteIntoFile.exe should be fine, once you look over the results in depth you can see nothing funky is going on. The AutoHotkey.exe file on the other hand will almost always get flagged as malicious by a few vendors. Why? Because AHK can do a lot of things that can be perceived as or intended as malicious, the executable itself is typically NOT malicious; meaning it isn't carrying a suspicious or dangerous payload itself, it's just that it's very nature of being the utility that it is causes red flags when scanned because of what it CAN do, not because of what it WILL do.

When using Virus Total you should always be looking for who is reporting it as malicious, and how many reports there are. If you have 71 vendors and only 1-5 are flagging it, it's a false positive. Especially if the bigger vendors like Microsoft Defender and Malwarebytes, Avast, Etc. are showing 'undetected' or 'clean' along with the other 60-70 of them, then 99% guaranteed, it's a false positive.

Of course it's always good to be vigilant and weary of anything that you didn't code yourself, but when using Virus Total it's important to view the results with context (what is the utility/file you are scanning, and what is its scope of use) as well as an understanding that a larger consensus of a detection is what's important, if it is flagged by one or two vendors... it's more than likely a safe file with no malicious payload, it's just something that accesses or uses something in the system that "could" cause harm or damage if used in a malicious manner...such as AutoHotKey, which is extremely powerful and capability rich, or any app/applet that performs system functions or function calls etc. If you get a scan back that has 10+ warnings, then you should look at it in more detail and see if the malicious functions match the scope and context of the scanned file. If they do, it's still probably a false positive. If you get back 20, 30. or more detections, then yes, it's malicious or has some vulnerability. With Virus Total I find it's all about consensus, context, and quantity of detections and from who, and how those vendors derived their conclusion(s).

I, myself, was just using Virus Total for some VST's (DLL files etc.) and things. When I tried to download them from my vendors portal, SmartScreen (Microsoft) wouldn't let me download them, and when I ran it through VT there was SUSGEN (Max Secure) and AHK (Max Secure again) all over the place, but no detections otherwise out fo 60+ vendors besides Max Secure and some really obscure vendor I never heard of, so obscure I already forgot the name. Even Defender from Microsoft, which SmartScreen utilizes gave a clean reading on Virus Total even though Edge wouldn't download it. So I scanned them and then watched the sandbox activity and determined, their fine, their just doing what they need to do, which sometimes involves functions and calls and modules or DLLs that COULD do bad things, but are really used for legitimate purposes to have the app work and do what it needs to or is supposed to do.

I hope this helps to shed some insight into the topic, I do, however, apologize for the length of this comment.

Best wishes and Happy Holidays 2024 to all!