There are some things I consider when doing a malware testing:
- first, look for what reliable and fully updated AVs are returning, either online or offline (e.g. ESET, Kaspersky, Avast, MalwareBytes, maybe Defender)
- second, get some info about the malware supposedly returned by the questionable AVs (e.g. if it's generic, chances are it's a false positive)
- third, update my offline AV if needed (e.g. so I can disregard any "hey, I don't know this software, so it's suspicious" return from that AV)
- forth, I use my own judgement as well, to conclude if some software is likely to be infected or not (e.g. my own reputation system, if you like)
In other words, just because some arbitrary AVs on VirusTotal are flagging a product, it doesn't mean it's actually infected. If solid AVs are flagging something, then chances are high, but if other AVs are doing so, then it's merely a suspicion that needs to be confirmed. In the latter case, some user actions are needed to get to an accurate conclusion. For example, after hitting the Reanalyze button (so that cached versions that were previously uploaded by other people are disregarded in favor of the sample I uploaded), this is what I get from VirusTotal and the last stable Rainmeter version: Yes, there are supposedly malicious returns, but they don't come out from solid AVs, so, bar looking up for the malware names to see what they mean and how exactly such malware are detected if you're really interested, everything is just fine.![Wink ;)]()
P.S. One way to avoid the slower 'validation' of a new version of some software (in this case, Rainmeter) by AV vendors is to wait a few days before updating the said software, so that most or all AVs get the time to properly flag the new version.
- first, look for what reliable and fully updated AVs are returning, either online or offline (e.g. ESET, Kaspersky, Avast, MalwareBytes, maybe Defender)
- second, get some info about the malware supposedly returned by the questionable AVs (e.g. if it's generic, chances are it's a false positive)
- third, update my offline AV if needed (e.g. so I can disregard any "hey, I don't know this software, so it's suspicious" return from that AV)
- forth, I use my own judgement as well, to conclude if some software is likely to be infected or not (e.g. my own reputation system, if you like)
In other words, just because some arbitrary AVs on VirusTotal are flagging a product, it doesn't mean it's actually infected. If solid AVs are flagging something, then chances are high, but if other AVs are doing so, then it's merely a suspicion that needs to be confirmed. In the latter case, some user actions are needed to get to an accurate conclusion. For example, after hitting the Reanalyze button (so that cached versions that were previously uploaded by other people are disregarded in favor of the sample I uploaded), this is what I get from VirusTotal and the last stable Rainmeter version: Yes, there are supposedly malicious returns, but they don't come out from solid AVs, so, bar looking up for the malware names to see what they mean and how exactly such malware are detected if you're really interested, everything is just fine.

P.S. One way to avoid the slower 'validation' of a new version of some software (in this case, Rainmeter) by AV vendors is to wait a few days before updating the said software, so that most or all AVs get the time to properly flag the new version.
Statistics: Posted by Yincognito — Today, 12:45 pm