Files confirmed malicious by VT are 'Scanned Online and Found Safe' [312]

The bug/issue

  1. What you did:
    I’ve been collecting malware on my computer and I checked my trusted files and found that some of them were in there. I then checked the logs and found they were scanned online and found safe. I’ve been both copying and pasting them and scanning them with heuristics on low.

  2. What actually happened or you actually saw:
    I checked the files on virustotal and some of them appear to definitely be malicious.

  3. What you expected to happen or see:
    I expected that the malicious files would not be found safe.

  4. How you tried to fix it & what happened:
    This isn’t something I can fix.

  5. If its an application compatibility problem have you tried the application fixes?:

  6. Details (exact version) of any application involved with download link:
    Virustotal links to the samples that appear to definitely be malicious.

If you like I can also post links to CIMA reports.

  1. Whether you can make the problem happen again, and if so exact steps to make it happen:
    This has happened over a period of time. I just hadn’t noticed until now. I checked and found that it happens when scanning the samples with cloud scanning enabled. It doesn’t happen when cutting and pasting, copying and pasting, or scanning with another program.
  2. Any other information (eg your guess regarding the cause, with reasons):

Files appended. (Please zip unless screenshots).
I have attached a hijack this log so you can see the programs running.

  1. Screenshots illustrating the bug:
    See links above.
  2. Screenshots of related event logs and the active processes list:
    I’ve attached a screenshot of part of my Defense+ log.
  3. A CIS config report or file.
  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS Premium 5.0.162636.1135
    AV Database version is 6796
    I have it configured as described here. The real-time scanner is disabled and for the manual scanning every box is checked and the heuristics level is set to low. Enable cloud scanning is checked.
  2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:
  3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?:
  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
    Described in my article.
  5. Defense+ and Sandbox OR Firewall security level:
    In general it is set to proactive security. Defense+ and Firewall are in Safe mode. Antivirus is disabled. Sandbox is enabled.
  6. OS version, service pack, no of bits, UAC setting, & account type:
    Windows 7 x64 fully updated. UAC is disabled. Account is admin.
  7. Other security and utility software running:
    No other real-time scanners besides CIS. See log file for any other processes.
  8. Virtual machine used (Please do NOT use Virtual box):
    Not a virtual machine

Edit: For some reason my screenshot won't upload correctly. I hope it's readable.

[attachment deleted by admin]

Thanks Chiron

An excellent bug report.

Just one suggestion. Could you post a link to the topic describing major changes to config?

Think I know which one you mean but the devs may not.

Forwarding now


I did, but here it is again.

Let me know if there’s any more information needed. This is one bug I’d really like to see squashed.

OK sorry, and thanks

Like your article on how to work out if something should be trusted BTW. OK if I reference it from time to time in FAQs etc?


Sure, I’ve got an updated version I’ll be putting up within the next few weeks as well. Also let me know if you have any advice for how it can be improved.


Just to confirm added to Bugzilla with cc to development team and marked critical severity.



Hi Chiron!
Can you provide these “safe” samples please?


Interestingly enough I just scanned my entire collection and this time no malware was added to the trusted files list. Perhaps there was a change in how the cloud works? ???

I’ll let you know if the problem re-emerges.

The problem’s back. This time I have more samples.