How dangerous can a file be with no detected malware?

It is entirely possible for a file that is not detected by any scanner to still be malware. In fact, I would expect that most new malware starts out that way! Keep in mind that the bad guys have access to antivirus software too. And they will absolutely take advantage of that by making adjustments to their malware until no antivirus software detects it. (Granted, they wouldn't be able to test with Virustotal or any online scanner that would send their file to antivirus companies for analysis, but they can still go a long way testing with offline scanners.)

After the malware is released to the world and gains meaningful distribution, antivirus companies will eventually notice it and add it to their databases. But if you're unlucky enough to be among the first few people to encounter a new piece of malware, it's quite possible that no antivirus software will detect the file as malware when you first encounter it.

It gets worse. Sophisticated attackers (e.g. nation-states) often distribute malware to a very small group of select targets. By intentionally limiting distribution, it can take years or more before any antivirus company catches on. Most people will never be the target of sophisticated attacks like this, but if you happen to be one, antivirus software will be very ineffective.

In conclusion: If many antivirus programs flag a file as malware, it's a good sign that it's malware. If no scanner flags a file as malware, you cannot conclude anything.


There are many information out there on how write or transport malware in order to bypass antivirus and other security products. And since attackers and vendors of security products continuously improve their products there will always be some some malware which passes AV, i.e. there will be no AV which is able to protect against every known and unknown malware without also having an unacceptable high false positive rate (i.e. blocking everything definitely blocks all unknown malware too but is not really useful).

The risks of letting such malware through are no different from letting the detected malware through. You just need to be prepared that your network or machine will be compromised at some time and should be able to detect successful attacks early and quickly recover from these.

In general the risk depend a lot on the context where this file was received and what kind of file this is. If it was an expected file send by a trusted person the risk is comparably low though it might still be that the senders system might be compromised and embeds malware into files. If it is a file downloaded from some uncommon or even illegal site on the internet the risk is much higher since such sources are regularly used to spread malware. If this is a pure text file (plain text, no Office document) or image the risk is low since it would require some bug in the local application or OS to execute some embedded malware. If it is instead an executable file, Office document, screensaver or similar the risk is much higher again etc.

Tags:

Antivirus

Exploit

Virus

Malware

Antimalware

Related

Could you store your passwords in a phone app governed by a QR code? Does CVE-2020-0601 (CRYPT32.DLL critical exploit) affect Windows 7 and is there a patch to fix it? Certficate pinning: should I pin the leaf or intermediate? Is it a security vulnerability to tell a user what input characters are valid/invalid? Why do email server/clients block executable attachments? Can someone steal my IP address and use it as their own? What are the advantages and disadvantages of using a HackRF One compared to specific protocol sniffers? How can I recover steganographically hidden data from a photographic copy of the image? Is PGP for user authentication a good idea? Does revealing part of your hash give an attacker advantage when attacking your password? Clearing password field after an invalid login attempt What are the potential risks of leaving a device in public, but locked?

Recent Posts