Help with determining if my device is at risk from a virus.

[DrDerp]

Hello! So today I downloaded something and I ran it through Virus-Total or whatever it’s called and it came back with a Heur virus in one test. I immediately deleted the file, without ever launching it. However, just by unzipping the folder that contained it am I at any risk at all from it being installed on my machine? Big thanks.

[Electronics Wizardy]

pretty unlikely to cause an issue.

[DrDerp]

Just now, Electronics Wizardy said:

pretty unlikely to cause an issue.

Thanks. I’m always nervous around this kinda stuff because I once got a virus that devastated our internet speeds.

[Electronics Wizardy]

8 minutes ago, DrDerp said:

Thanks. I’m always nervous around this kinda stuff because I once got a virus that devastated our internet speeds.

run a virus scan, but having a file is very unlikely to cause a issue, you need to run it, or it needs to find a way to be ran(normally through a securty hole

[Guest]

17 minutes ago, DrDerp said:

Hello! So today I downloaded something and I ran it through Virus-Total or whatever it’s called and it came back with a Heur virus in one test. I immediately deleted the file, without ever launching it. However, just by unzipping the folder that contained it am I at any risk at all from it being installed on my machine? Big thanks.

Stop downloading anime from untrusty sites!!!

 

13 minutes ago, DrDerp said:

Thanks. I’m always nervous around this kinda stuff because I once got a virus that devastated our internet speeds.

Welcome to the bot net!

 

4 minutes ago, Electronics Wizardy said:

run a virus scan, but having a file is very unlikely to cause a issue, you need to run it, or it needs to find a way to be ran(normally through a securty hole 

This^^. You should be good but doing a sys scan won't hurt anything, I recommend bitdefender, mbam, and adwcleaner as a fun dose of daily paranoia scans.

 

 

[KuJoe]

We can give you any answer you want to hear but the only way to really know is to find out yourself, better safe than sorry when it comes to exploits. Even if you didn't click on the file there are a lot of variables that could affect whether or not you've infected your PC or your network.

[Speed Weed]

27 minutes ago, DrDerp said:

However

Did you run the app? Check the task manager? Run HitmanPro and Malwarebytes Anti Malware. If both scanners result nothing detected than you are good to go. 

[DrDerp]

12 minutes ago, nick11682 said:

Stop downloading anime from untrusty sites!!!

 

Welcome to the bot net!

 

This^^. You should be good but doing a sys scan won't hurt anything, I recommend bitdefender, mbam, and adwcleaner as a fun dose of daily paranoia scans.

 

 

It was from this video, and other people seemed to have no issues with it. The one time I screwed up I was like 12. Thanks for the recommendations of scanners, I’ll try them out.

 

[DrDerp]

1 minute ago, Speed Weed said:

Did you run the app? Check the task manager? Run HitmanPro and Malwarebytes Anti Malware. If both scanners result nothing detected than you are good to go. 

I didn’t do any of that (including running the app) but I don’t know what to check in the task manager.

[Speed Weed]

1 minute ago, DrDerp said:

I didn’t do any of that (including running the app) but I don’t know what to check in the task manager.

Check any suspicious app or process in the Task Manager. 

[DrDerp]

2 minutes ago, Speed Weed said:

Check any suspicious app or process in the Task Manager. 

I don’t know what would be if it’s running in the background is what I’m saying.

[Speed Weed]

Just now, DrDerp said:

I don’t know what would be if it’s running in the background is what I’m saying.

That is why you check for any suspicious app or process in the Task Manager. If you just unzip it than I believe you are safe. You can run HitmanPro and Malwarebytes or check the Task Manager. 

[DrDerp]

1 minute ago, Speed Weed said:

That is why you check for any suspicious app or process in the Task Manager. If you just unzip it than I believe you are safe. You can run HitmanPro and Malwarebytes or check the Task Manager. 

Alright. I think my PC should be fine after running a couple of tests so thanks for the help.

[Guest]

7 minutes ago, DrDerp said:

I don’t know what would be if it’s running in the background is what I’m saying.

5 minutes ago, Speed Weed said:

That is why you check for any suspicious app or process in the Task Manager. If you just unzip it than I believe you are safe. You can run HitmanPro and Malwarebytes or check the Task Manager. 

It is difficult to narrow down a virus by looking at processes if you don't know which each one does, especially since some viruses can masquerade as actual window services. I wouldn't focus on that 100% right now, unless you see IAMAVIRUS.EXE. What you can do though is run a boot scan or a scan in safe mode to ensure that the processes running on your machine are legit. You said it was heuristic hit which means that the antivirus found what it thought was malicious behavior, useful for 0 days, and the fact that it was only the one makes me think you're clean, especially since you didn't run the program.

 

 

[Speed Weed]

Just now, nick11682 said:

It is difficult to narrow down a virus by looking at processes if you don't know which each one does, especially since some viruses can masquerade as actual window services. I wouldn't focus on that 100% right now, unless you see IAMAVIRUS.EXE. What you can do though is run a boot scan or a scan in safe mode to ensure that the processes running on your machine are legit. You said it was heuristic hit which means that the antivirus found what it thought was malicious behavior, useful for 0 days, and the fact that it was only the one makes me think you're clean, especially since you didn't run the program.

  

 

You check the location of the app or process and compare it to Google search result. 

[Guest]

Just now, Speed Weed said:

You check the location of the app or process and compare it to Google search result. 

Viruses can alter and replace legit os files in place, so like I said it won't hurt to do that but it's not the best way to do so and will likely be a waste of time.

[Speed Weed]

2 minutes ago, nick11682 said:

Viruses can alter and replace legit os files in place, so like I said it won't hurt to do that but it's not the best way to do so and will likely be a waste of time.

If  the virus  replace the legit OS files than it will going to have a different hashes than the legit one. This is how antivirus detect virus and malware. Process Explorer will come handy in this case with virustotal.com check feature built in. 

[DrDerp]

4 minutes ago, nick11682 said:

Viruses can alter and replace legit os files in place, so like I said it won't hurt to do that but it's not the best way to do so and will likely be a waste of time.

People who have used the file say that they haven’t gotten any viruses or anything but I’m nervous that it may be something that’s not noticeable.

[Guest]

Just now, Speed Weed said:

If  the virus  replace the legit OS files than it will going to have a different hashes than the legit one. This is how antivirus detect virus and malware. 

Depending on the antivirus I agree. Antiviruses usually use signature and/or heuristic analysis, however some offer the service to monitor system files to protect against ransomware like activity (like changing or encrypting files). If they only used file hashes that would be tremendously inefficient due to the time it takes to calculate hashes and the fact they would need to store hashes for comparison.

[Guest]

Just now, DrDerp said:

People who have used the file say that they haven’t gotten any viruses or anything but I’m nervous that it may be something that’s not noticeable.

I totally get that, I'm pretty paranoid about viruses. but if the scans are clean and you didn't open the file you should be good. Anti viruses have false positives, if you want to be 100% certain you could reinstall your os but I don't think it's necessary tbh. You could also monitor logs to see if there's any weird activity going on.

[Speed Weed]

8 minutes ago, nick11682 said:

Depending on the antivirus I agree. Antiviruses usually use signature and/or heuristic analysis, however some offer the service to monitor system files to protect against ransomware like activity (like changing or encrypting files). If they only used file hashes that would be tremendously inefficient due to the time it takes to calculate hashes and the fact they would need to store hashes for comparison.

" If they only used file hashes that would be tremendously inefficient due to the time it takes to calculate hashes and the fact they would need to store hashes for comparison. " Antivirus only need to store blacklist hashes; therefore, there is no need for comparison. Since antivirus store blacklist hash files onto RAM, it is able to access them very quick than store them onto storage drives. 

 

Behavior Blocker and Host Intrusion Prevention System are the zero day defenses against unknown threats. Ransomware protection is only protect against app that try to encrypt your files, but it does not protect against unknown threats beside ransomware only. 

 

Anyway, OP said he is fine because he ran multiple scans. 

 

 

 

 

[Guest]

29 minutes ago, Speed Weed said:

" If they only used file hashes that would be tremendously inefficient due to the time it takes to calculate hashes and the fact they would need to store hashes for comparison. " Antivirus only need to store blacklist hashes; therefore, there is no need for comparison. Since antivirus store blacklist hash files onto RAM, it is able to access them very quick than store them onto storage drives. 

 

Behavior Blocker and Host Intrusion Prevention System are the zero day defenses against unknown threats. Ransomware protection is only protect against app that try to encrypt your files, but it does not protect against unknown threats beside ransomware only. 

 

 

 

 

I believe you're confusing file hashes with signatures. Like I said antivirus' can store hashes of sys files, not all do, to use as a comparison, but declaring that's the only way that they detect viruses is incorrect and/or antiquated. People can obfuscate code to bypass signature analysis. That's why heuristic analysis is used. I agree HIPS are fantastic but stretching further from the op's question, lets tell him about setting up a WORM drive to store his logs, or setting up an SDN to manage his network, does he need a VLAN for his IoT or SCADA devices!? I think he does! Especially since HIPS uses are used much more broadly than an antivirus's. I digress, because none of this explains how the heck someone who isn't intimate with the windows architecture could look at their task manager to see if they have a virus! He had a simple question, "am I safe this file that I downloaded" and of course it is possible an evil mastermind has coded an undetectable virus and attached it with a kickass game and the only way to detect it is to google every process and service running on his computer, but it's severely unlikely and in my professional internet opinion I think he's good to go.

 

Malinois out!

[Speed Weed]

2 minutes ago, nick11682 said:

I believe you're confusing file hashes with signatures. Like I said antivirus' can store hashes of sys files, not all do, to use as a comparison, but declaring that's the only way that they detect viruses is incorrect and/or antiquated. People can obfuscate code to bypass signature analysis. That's why heuristic analysis is used. I agree HIPS are fantastic but stretching further from the op's question, lets tell him about setting up a WORM drive to store his logs, or setting up an SDN to manage his network, does he need a VLAN for his IoT or SCADA devices!? I think he does! Especially since HIPS uses are used much more broadly than an antivirus's. I digress, because none of this explains how the heck someone who isn't intimate with the windows architecture could look at their task manager to see if they have a virus! He had a simple question, "am I safe this file that I downloaded" and of course it is possible an evil mastermind has coded an undetectable virus and attached it with a kickass game and the only way to detect it is to google every process and service running on his computer, but it's severely unlikely and in my professional internet opinion I think he's good to go.

  

Malinois out!

Signatures files contain blacklist hashes of malicious apps. 

[Guest]

On 11/18/2018 at 10:15 PM, Speed Weed said:

Signatures files contain blacklist hashes of malicious apps. 

Since it was obvious you weren't going to take my word that antivirus' use more than just hashes I decided to reach out to Malwarebytes. I hope this helps clear up any confusion.

Your support ticket 2474753 has been updated. Please reply to this email to update the ticket with any questions or additional information.   William ---- (Malwarebytes Support) Nov 20, 04:31 PST Hello Nick, I would like to welcome you to Malwarebytes Malware Support, my name is William and I will be helping you out today. While the hash would be part of it - it is not all of it - it would also have a snippet of the code that would be unique to that malware for it to look for. . Regards, William ---- Senior Malware Removal Specialist Technical Support Specialist support.malwarebytes.com     Nick Nov 18, 20:45 PST Hello, I understand the purpose of signature files, but what do they actually contain. Do they only store hashes of known malicious apps?

[ProRifts]

Just run a scan