What Do You Consider A Bad Reputation

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□

Using sites like VirusTotal, IPvoid, Cisco Talos, etc, what would you all consider a "bad reputation".  For instance if you keyed in a hypothetical IP address (8.9.10.12) and the results came back that it's reputation score was 3/100, however a second and a third IP check revealed 15/100 and 30/100 scores consecutively.  What is your threshold and which would you consider a bad reputation. 

** 3/100 would mean that out of 100 sites checked, 3 reported the IP as malicious **
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    edited April 2021
    I do think checking a sample across multiple A/V analysis services, both commercial and OSINT, is necessary. I never know what kind of deal each A/V vendor has with a specific service aggregator (like VirusTotal) that might effect the detection results as compared to the for-pay commercial product.
    Many A/V services do not give specific details of why the sample detected as suspicious/malicious. With VirusTotal, I form my own qualitative opinion of reputation based on which analysis services score a "hit." A sample hitting on higher-reputation services (Symantec, FireEye, Crowdstrike, Sopohos, Malwarebytes, etc.) will raise my eyebrow more quickly than a sample that only hits on fringe services (DrWeb?).
    Sandbox Malware analysis services (like any.run, FireEye, ThreatStream) will produce a very specific report detailing why a sample is considered to be suspicious/malicious, but requires some technical chops to understand. You will need to form a qualitative reputation opinion of which of these sandboxes you trust to be the most accurate.
Sign In or Register to comment.