How to Read "Grey-area" ML Detections

Hi all,

 

Today I've noticed an ML detection of Bittorent:

https://www.virustotal.com/#/file/8bc7720ae156a741de566fac8672ee8223c77c9ad1898654a61c9df381efac7e/detection

So I did ask VT to re-analyze it and it seems that a majority of ML engines are still flagging them as malicious, but almost none of the AV-Engines.

Some of the ML engines are detecting it with a public score of 72%, which is quite high.

 

Now, it could be that such application is really malicious, infected, code caved etc.

But on the other hand it could be just an FP, so how can I tell? How can I get a quick on-the-fly second opinion?

Shall I whistelist the certificate (only option here) or not?

It looks like an FP to me (I saw the steam games thread where torrents are mentioned).

 

Thanks.

Yannick

  • It may not be quick nor on-the-fly (but usually they are), but it does make sense to inquire with SophosLabs.

     

     

  • If in doubt about the classification we recommend you leave the executable in quarantine and request assistance from support for an evaluation by sophos labs.

     

    In the situation where we have an Deep Learning malware or PUA detection and you are uncertain if this may be a false positive or not it is appropriate to raise a support ticket to investigate.

    Your first instinct to check Virus total to get a better understanding was the appropriate first step but as in this case that is not necessarily enough to make the determination on your own.

    Support will assist with safely extracting the sample from the quarantine location and submitting to Sophos Labs for evaluation. 

    Shortly after release of the product an update to the Sophos Self Help tool will be available to make sample submission of suspect FP and suspect malware that may have been missed easier.

  • In reply to Karl_Ackerman:

    Hi Karl,

    Thank for the detailed feedback.

    That sample submission option within the self service help is probably the best news and also way to easily submit a sample.

    If possible, I think we could save a lot of time and support resources by adding, on the admin console, an additional dropdown button or option (next to the ML-whitelist option), that will submit the sample or hash to our sandbox or double check it with the live lookup technology instantaneously, that way every customer gets a first result/opinion within a few seconds or minutes, if the result isn't a clear go or no go, they can still submit it with the upcoming version of SSH.

    Thanks.
    Yannick