If you believe our scanner has misrepresented a file on VirusTotal please report the discrepancy using the form below.
(Please read our submission policy before filling out the form.)
The most common reason for a misidentified or mislabeled binary is due to developers taking shortcuts or using assembly routines and tools that are commonplace among malware authors. Such common tools and routines tend to be:
- AutoIT Scripting – An EXE is actually a script to perform a function. AutoIT assembly is a favored tool by malware authors.
- Free or Ad Supported Compilers – Malware authors often use free tools to compile their distros or EXEs
- Reuse of suspicious libraries – libraries to perform specific tasks, such as enumerating the local system, rebooting, network shims, accessing the webcam, etc. are programming shortcuts and are often also used by malware authors.
- Behavioral Similarities to Malware – shell access, remote access, data exfiltration, account escalation, downloaders, unusual beacons or check-ins, TOR or P2P communications, etc. Even applications with good intentions or commercial products that exhibit these behaviors may be labeled as malicious.
Invincea has implemented a review and appeal process for software authors of binaries that have potentially been misidentified or mislabeled. When possible, Invincea will add binaries to a whitelist, however binaries will be denied if:
- Binaries are not codesigned. If you are a software maker engaged in commerce, it is in your best interest to go through the additional steps of having your binaries signed by a reputable Certificate Authority. This will also allow Invincea to whitelist binaries based on a Certified Publisher’s name so future versions of software will inherit the whitelisting as well.
- If codesigned binaries have a publisher CA name that has a poor reputation among the AV community, it will not be whitelisted.
- If the binary’s behavior may pose a risk to an enterprise network it will not be whitelisted. Such behaviors include but are not limited to data exfiltration, unwarranted, excessive modifications to endpoints, weakening of security software, bypass or escalation of privileges, network communications designed to obfuscate or bypass normal network monitoring, remote access, deep system hooks that make uninstallation difficult, process injection, browser hijacking or modification, network shimming, stored password access, insecure downloads of additional components and software, etc.