Here's why the scanners on VirusTotal flagged Hello World as harmful

CrowdStrike, Cylance, Endgame and others flagged Hello World as unsafe or malicious

1 2 Page 2
Page 2 of 2


Raj Rajamani, SentinelOne:

"SentinelOne uses multiple engines for prevention that work holistically on the full SentinelOne Endpoint Protection Platform (EPP) including a static machine learning (ML) engine (the one on VirusTotal) and a dynamic ML engine (which is only available on the agent).

"Each engine uses ML techniques to classify files and events as threats (hi-confidence detections) or suspicious (low confidence detections), and together they enjoy full system context. VT does not support confidence scores, so even low-confidence detections (aka suspicious) are marked as threats/malware in their feed.

"In this case, the binary was detected as suspicious, probably because it was compiled in debug mode. When the same code is compiled in release mode, we do not detect this as suspicious. This is normally not an issue in production environments as customers review suspicious items before mitigating them.

"We take false positives and false negatives very seriously and approach them from a few angles: 1) by making it easy for customers to whitelist suspicious files; 2) we have a team of threat researchers at the ready to assist in hunting and classification of suspicious files and threats and; 3) we ship a new machine learning-engine every month. We will continue to work to improve our false positive and false negative detections with every release.

 
Jarno Niemelä, F-Secure:

"This is actually a thing that pops up every couple years or so. What is going on in that AV industry has been using "Next gen" ML sample classification systems for over 10 years already. There is nothing "Next gen" in most of the new vendors.

"And the ML systems we use analyze samples based on the features we extract from the sample, most features are collected statically, and some are collected by running the sample inside an emulator and observing the code as it runs. The features are collected from millions of samples that are already classified as malware as well as from tens or even hundreds of millions of clean files.

"And what you end up with is a system that will high rather classify malicious and clean files correctly. New instances of known malware types and samples that do things that are known for malware will be classified as malware. And clean files are unlikely to be misclassified.

"These analysis results are then packaged into "AV signature database" that depending on the company and a product either resides in the cloud or is shipped to all end users, and may either contain actual signatures or trained ML database, depending on the company and engine. And many times in addition of ML generated detections, the signature database also may contain human created detections, which are usually much more generic and powerful. Although those are frequently omitted or unable to function in VT.

"However if a sample doesn't have almost any features that it could be classified with, these systems are prone to classify them as malicious, due to fact that it is very rare for a clean file to do nothing and have no features that would be common among other clean files. Which leads to this "Hello world" issue people encounter once in a while.

"This is seen as erring to safety, as the sample in question is very unlikely to be of any significance, and may well contain something malicious that we do not have feature extraction for.

"Especially as this file may not ever trigger a false alarm among real customers, as our products have false alarm mitigation mechanisms that take other things into account than just the file analysis system result, and thus what is shown as a false alarm in VT does not trigger for actual user.

"And even if a false alarm triggers on some user, the notification about triggering will be sent to our cloud and if we get any metadata that might indicate a false alarm we will automatically analyze the sample more thoroughly. Which means that actual false alarms hitting real end users are much more rare than ones seen in VT, and are usually very short lived.

"And then to the particular sample you linked in VT. In this case the false alarm was caused by a licensed component, whose vendor identified and fixed the FA even before our systems picked the file for analysis. And obviously none of our customers queried about the file, so I cannot really say would we have been able to mitigate the false alarm automatically before the first customer asking about the file."


Bogdan Botezatu, Bitdefender:

"Bitdefender uses multiple layers of detection, including a solid reputation system to flag unknown files. Such files may include freshly compiled applications, even if they are harmless to the user. The reputation system looks suspiciously at any files that have never been seen in the wild, but other layers of technologies in the full Bitdefender product usually go deeper into the file and lets it run even if it was initially blocked at stage 1.

"However, as VirusTotal only aggregates some scanning technologies, unlike a regular Bitdefender security suite, some results may be inaccurate or inconclusive. This is why the VirusTotal FAQ strongly advises against bench-marking security solutions based on the VirusTotal results.

"Regarding the false positive issue, this kind of detection is not something the user, or the tester, would see in a real life scenario, as we use a complex mix of technologies to get an accurate classification of the file."


Vincent Weafer, McAfee Labs:

"The examples in the article all seem to be associated with McAfee gateway scanner heuristic engine,  which is by design set up to detect both malicious and suspicious files passing through enterprise gateway systems. This engine is not part of the enterprise endpoint or consumer solutions, which have different detection profiles compared to a gateway heuristic engine, for a defense in depth solution.

"The full implementation of that heuristic engine in the gateway or cloud, includes other trust/reputation technologies that enable filtering out known clean files for false avoidance or performance reasons.  In this case the samples tested were simple programs, which were not code signed or had other trust indicators, so a heuristic type engine would likely detect them in this context."


Cyren (also F-Prot):

Note: Cyren confirmed they were initially blocking the Hello World code. On August 10, they were notified "of the possibly erroneous classification the same day it appeared." After an analyst looked at it, the scoring/classification was adjusted on the same day.

"Our massively automated detection network, driven by complex machine learning, does on occasion score an object as suspicious, when it might in fact be benign. We are committed to minimizing false positives and rapidly fixing them once identified – this is as important to us as blocking threats correctly." - Michael Tamir, VP of Support Services, Cyren.


Chet Wisniewski, Sophos:

"SophosLabs uses advanced machine learning technology and expert researchers categorize suspicious file samples. When a file is incorrectly categorized our data science team work quickly to rectify it and re-calibrate the algorithms. Our researchers are currently investigating the executable files you reference"

1 2 Page 2
Page 2 of 2
New! Download the State of Cybercrime 2017 report