What Do You Consider A Bad Reputation
egrizzly
Member Posts: 533 ■■■■■□□□□□
Using sites like VirusTotal, IPvoid, Cisco Talos, etc, what would you all consider a "bad reputation". For instance if you keyed in a hypothetical IP address (8.9.10.12) and the results came back that it's reputation score was 3/100, however a second and a third IP check revealed 15/100 and 30/100 scores consecutively. What is your threshold and which would you consider a bad reputation.
** 3/100 would mean that out of 100 sites checked, 3 reported the IP as malicious **
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
Comments
-
JDMurray Admin Posts: 13,101 AdminI do think checking a sample across multiple A/V analysis services, both commercial and OSINT, is necessary. I never know what kind of deal each A/V vendor has with a specific service aggregator (like VirusTotal) that might effect the detection results as compared to the for-pay commercial product.Many A/V services do not give specific details of why the sample detected as suspicious/malicious. With VirusTotal, I form my own qualitative opinion of reputation based on which analysis services score a "hit." A sample hitting on higher-reputation services (Symantec, FireEye, Crowdstrike, Sopohos, Malwarebytes, etc.) will raise my eyebrow more quickly than a sample that only hits on fringe services (DrWeb?).Sandbox Malware analysis services (like any.run, FireEye, ThreatStream) will produce a very specific report detailing why a sample is considered to be suspicious/malicious, but requires some technical chops to understand. You will need to form a qualitative reputation opinion of which of these sandboxes you trust to be the most accurate.