Valkyrie Clean Verdict

khanyash · February 15, 2016, 2:28am

On what basis Valkyrie gives “Clean” verdict?

Above is Nitro PDF ■■■■■. As per VT its not malicious.

Valkyrie gives verdict clean.

I understand the verdict “No Threat Found”, this is better verdict, But “Clean” verdict for a “■■■■■”?

fatih.orhan · February 15, 2016, 4:05am

Verdict is corrected in Valkyrie.

thank you for reporting.

khanyash · February 15, 2016, 4:22am

Plzz tell us on what basis a file is determined as clean by valkyrie?

fatih.orhan · February 15, 2016, 4:54am

There are different criterias. These can be many different things such as certificate checks, trusted publisher, safe signatures or previously analyzed results.

khanyash · February 15, 2016, 5:44am

If there are certificates & trusted publisher checks how can a ■■■■■ get clean verdict?

fatih.orhan · February 15, 2016, 5:50am

this sample didn’t get clean verdict because of certificate or trusted publisher, but by other checks. You could see certificate info if that would be the case.

khanyash · February 15, 2016, 7:15am

I meant a ■■■■■ will certainly not have valid certificates & trusted publisher, right? Instead certificates in ■■■■■ will be invalid…isn’t this a better check or preferential check or a check above all the analyze/scans, etc…?

fatih.orhan · February 15, 2016, 1:22pm

I didn’t get the point. If the certificate is invalid, and we understand that the file is ■■■■■, which verdict, do you think, should be given?

khanyash · February 15, 2016, 1:46pm

If the certificate is invalid & you understand the file is ■■■■■ & scanners didn’t find anything malicious, the correct verdict in my opinion should be “No Threat Detected” instead of “Clean”.

You mentioned the verdict is corrected now.

But my query was if certificates & trusted publisher check is done how can a ■■■■■ get clean verdict? Coz these are critical checks & a ■■■■■ will fail these checks so shouldn’t Valkyrie give importance/preference to these checks & dont give such files a clean verdict?

jebuchanan · February 15, 2016, 9:59pm

It will be “clean” from any virus infection. But malicious behavior is something else (that is why we have HIPS, sandbox, and a behavior blocker).

Citizen_K · February 16, 2016, 12:27am

Do I see a discussion lurking at the horizon whether PUA’s and PUP’s should be detected or not similar to the various discussions we had with antivirus programs?

khanyash · February 16, 2016, 6:01pm

No. I think PUP/PUA should be detected, I belong to the group of users who think PUP/PUA should be detected.

Now I noticed in my Valkyrie dashboard the ■■■■■ in question is detected as “PUP” now. Previously the verdict was “Clean” (Not detected).

My original query was -
Valkyrie gives verdict as “Clean”, “Malware” & “No Threat Detected”.

I just meant that “Clean” & “No Threat Found” gives kinda same impression but “Clean” sounds better compared to “No Threat Found”, “Clean” is kinda with the effect of “safe”, And “No Threat Found” carries the effect “malicious code not found”.

So my point was for files like “Cracks”, etc… if detected I am fine with PUP/PUA verdict, but if not detected IMO “No Threat Found” is better verdict compared to “Clean” for files like “Cracks”, etc…

fatih.orhan · February 16, 2016, 6:36pm

yessnooo post:12:

No. I think PUP/PUA should be detected, I belong to the group of users who think PUP/PUA should be detected.

Now I noticed in my Valkyrie dashboard the ■■■■■ in question is detected as “PUP” now. Previously the verdict was “Clean” (Not detected).

My original query was -
Valkyrie gives verdict as “Clean”, “Malware” & “No Threat Detected”.

I just meant that “Clean” & “No Threat Found” gives kinda same impression but “Clean” sounds better compared to “No Threat Found”, “Clean” is kinda with the effect of “safe”, And “No Threat Found” carries the effect “malicious code not found”.

So my point was for files like “Cracks”, etc… if detected I am fine with PUP/PUA verdict, but if not detected IMO “No Threat Found” is better verdict compared to “Clean” for files like “Cracks”, etc…

You’re right, and the overall verdicting logic is as you described. For that file, we had a PUP sample which was detected as clean initially but then this wrong verdict is fixed.

Citizen_K · February 16, 2016, 8:21pm

Yes you mean; you just started that discussion…

How does the verdict process work? Who or what decides the final verdict? Valkyrie or a human analyst? Or will Valkyrie make a judgment without the human analyst’s judgment? What happens when the human analysts judgment is there? What procedures are being followed?

khanyash · February 23, 2016, 4:30pm

This is Internet Download Manager ■■■■■.

Valkyrie gives verdict “Clean”.

This was my query previously too.

I meant ■■■■■ & likewise software if found nothing malicious should get verdict “No Threat Detected” instead of Clean. And if found malicious should get verdict accordingly.

fatih.orhan · February 23, 2016, 4:41pm

Why it shouldn’t get Clean verdict?

khanyash · February 23, 2016, 5:53pm

First of all tell me what Valkyrie means verdict “Clean” & “No Threat Detected”? These 2 verdict seems same.

fatih.orhan · February 23, 2016, 6:22pm

Clean means that the file is analyzed and found safe to be run. No Threat Detected means the file analyzed and no malicious activity could be identified, based on the analysis performed. It is not necessarily safe.

When a human expert analysis is performed, we identify either as safe, malware or potentially unwanted application.

khanyash · February 24, 2016, 3:57pm

“Clean” means found safe to be run, And “No Threat Detected” means not necessarily safe.

IMO for “Cracks” & likes - not necessarily safe is better verdict than safe to be run.

“Clean” reflects good so legal/good software should get verdict “Clean”.

“Cracks” & likes may be clean i.e not malicious but are illegal/grey so “No Threat Detected” is better verdict than “Clean” IMO.

jebuchanan · February 24, 2016, 5:08pm

@yessnooo

Symantics.
Let it go!