Check links with Virustotal. False positive results, how much they are?

[OcTradism]

That link is taken from Re: Overview of Bitcointalk Signature-Ad Campaigns [Last update: 09-Dec-2019]
The link is: https://paste.ee/p/odEQa
I see some posters discussed about false positive with Virustotal and I do not really understand the operations and checking algorithms of Virustotal.

There are often false positive / negative results, I know but how about the level of false results with Virustotal? If I use it to check threats in links.

[Thekool1s]

I do not really understand the operations and checking algorithms of Virustotal.

Well, their website clearly explains it on their How it works ^[1] page.

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content.

They basically scan the URL/File with Antivirus providers who they are partnered with. A false Positive in this URL's case which you linked could be, One of their providers could have detected a malicious file/code linked in the paste.ee domain and would have blacklisted the whole domain as a malicious instead of blacklisting the specific URL which resulted in this false positive. They mention this even on one of their pages ^[2].

False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection signature or algorithm used in an antivirus product.

As for what's the rate of "False Positive" results from virustotal I couldn't find the error rate on their website nor from doing some googling. So at what rate these occur, it's a hard figure to guess.

Sources:
[1] https://support.virustotal.com/hc/en-us/articles/115002126889-How-it-works
[2] https://www.virustotal.com/gui/monitor-overview

[rosezionjohn]

There are often false positive / negative results, I know but how about the level of false results with Virustotal? If I use it to check threats in links.

The best way is to try to get more opinion from people who regularly use the service I guess. In the case of Paste.ee, many would probably vouch that it is safe like Darkstar_ and alani123. 

I also read from this article (How To Tell If a Virus Is Actually a False Positive) that if there are only a few AV programs that says it's malicious, then it's probably a false positive.


When using VirusTotal, it is also worth checking their disclaimer: 

WE DO NOT WARRANT OR GUARANTEE THAT THE SERVICES ARE ACCURATE, RELIABLE OR CORRECT; THAT THE SERVICES WILL MEET YOUR REQUIREMENTS; THAT THE SERVICES WILL BE AVAILABLE AT ANY PARTICULAR TIME OR LOCATION, UNINTERRUPTED, ERROR-FREE, WITHOUT DEFECT OR SECURE; THAT ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR THAT THE SERVICES ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

[PrimeNumber7]

It appears that every link at the domain paste.ee is flagged as malware, see https://www.virustotal.com/gui/url/fbdb6fc14448ac7325ca602cf60270cfde7554e320bddd425c9e877e78aac292/detection

I am unsure if this is because there is a malicious cookie or something else on the website, or if it is because enough malware was uploaded to that domain that the domain was blacklisted.

[LeGaulois]

Regarding Paste.ee.

It's because hackers make use of websites such as Pastebin and co for detection evasion so your antivirus may not be able to detect it. You can hide several pieces of codes by using this method and infect a machine without your AV notice it. The shortcut for AVs companies is to blacklist the whole domain. I believe ads blockers do the same too.
But it doesn't mean that all the links generated contain a virus or something harmful.

[OcTradism]

From your answers, it is the best solution by not clicking on links given by the others. Hovering mouse on the link to see the display of links (if not shortened URLs) and stop curious at this.

Virustotal is a secondary protection layers for us as the other antivirus softwares. The primary protection layer for us is our carefulness.

[masulum]

From your answers, it is the best solution by not clicking on links given by the others. Hovering mouse on the link to see the display of links (if not shortened URLs) and stop curious at this.

<snip>

You can check original URL under short URL too, mostly you just need to add plus (+) at the end of URL. example if you find short URL like https://s.id/96KAO to view original URL just edit to https://s.id/96KAO+ from address bar.