Heuristic.BehavesLike.Win32.Virus.J

hi I just went to virustotal and one of the results only one said Heuristic.BehavesLike.Win32.Virus.J (macafee) I think. Is this a false positive, what is the general rule in determing wether a file is a false positive or not?

What (type of) application did you upload? VT will by default give you the results of the fist time it was submitted? When was it submitted? What is the result when you let VT rescan it?

It may be a false postiive but first I need to know the results of the above.

Is there anyway I can learn to determine if the file is a virus by myself? Could you tell me? (So in the future I won’t have to submit virus total results).

Is there anyway I can learn to determine if the file is a virus by myself?
Besides learning to code and among similar things. The best I can come up with for you is this (see below)

While no methods is 100% guaranteed (just like most things in life)

If you like to the file in action and what it’s doing and personally see what is getting flagged and such. You can do the following below

Upload the (.exe file) at http://camas.comodo.com/cgi-bin/submit <-----It has to be a .exe file
You can check the results yourself without having to submit it to virustotal

Go here to see what an example looks like
http://camas.comodo.com/cgi-bin/submit?file=0f1926c18eb6f9360bb6e817ed31e9a9399932495b396b31846642b0871c9210

look for the line called “Auto Analysis Verdict”
It’ll say suspicious or undetected

suspicious means suspicious (if you see any red or pink lines in the results, it would be safe to assume it’s infected)

Undetected means that it was a Missed Sample or it’s presuming that CIS didn’t detect it since your submitting the file?

If there is a part you don’t understand, when doing this. Feel free to ask or you can read more about it here
https://forums.comodo.com/comodo-instant-malware-analysis-online-cima-b156.0/

Is this a false positive, what is the general rule in determing wether a file is a false positive or not?
That's kind of the sad thing about it, There is no general rule. It's pretty complex. I could write a small book on it and will still be missing stuff to add. If there was a general rule, there would be a hell of a lot less peoples computers being infected

I got the verdict of “undetected” with a pink line, what does this mean?

What did the highlighted part say??
Or Even better, whats the link for it or can you post a pic of the results?? That way it can be explained to you and you’ll know for future reference. (Think of it as learning how to read the results)

I just got a PM from Johnzbzb in which he sends me this url to the Virus Total analysis page of the file: https://www.virustotal.com/analisis/23e5495d0931fe70e0f5595e0c88a2f9029fcd1e42ae75a8aa0d940006a045f2-1262297659 .

Only McAfee - GW Edition flags it as “Heuristic.BehavesLike.Win32.Virus.J”.

Since only one scanner thinks it is suspicious, it is not even confirmed malware, then as a rule of thumb one could assume this is a f/p.

Here’s the link:
http://camas.comodo.com/cgi-bin/submit?file=23e5495d0931fe70e0f5595e0c88a2f9029fcd1e42ae75a8aa0d940006a045f2

although you said if it has red or pink lines infected, it turned out not to be infected.

so how did you determine if it wasn’t confirmed malware?
What rule of thumb should I use when using virus total to determine if a file is a false positive?

Thanks for patiently answering my questions.

http://camas.comodo.com/cgi-bin/submit?file=23e5495d0931fe70e0f5595e0c88a2f9029fcd1e42ae75a8aa0d940006a045f2
although you said if it has red or pink lines infected, it turned out not to be infected

Auto Analysis Verdict–Undetected <— I meant any other place but that

Better example
http://camas.comodo.com/cgi-bin/submit?file=d90d226c9931b0e9ac0c9a10cb9c336247aeed8a9ce30b0475e651d0b6bc3030

If you see some of these being created with pinks links going across(Not the results) Is likely to be infected or at least suspicious
Keys Created
• Keys Changed
• Keys Deleted
• Values Created
• Values Changed
• Values Deleted
• Directories Created
• Directories Changed
• Directories Deleted
• Files Created
• Files Changed
• Files Deleted
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
• Processes Terminated
• Threads Created
• Modules Loaded
• Windows Api Calls
• DNS Queries
• HTTP Queries

You can also report it as a false positive to the AV that detects it. I believe that McAfee will send you an email back with the analysis.
Links to Report Malware to All Major AV’s

So if I dont get pink or red lines, does that mean the file is safe to use? (even if virus total results differ).

No CIMA is only one tool of many. If it doesn’t detect suspicious activity this merely makes it less likely that the file is malicious.

Nothing is EVER 100% guaranteed or even close to it.

No CIMA is only one tool of many. If it doesn't detect suspicious activity this merely makes it less likely that the file is malicious.
I totally agree. It can reduced the suspiciousness by quite a bit