Can you 100% trust your antivirus will catch all malicious files? Hmm… that is a confusing question. How about we have an option that can scan a file using all anti-malware solutions in one go?
In this post, we will discuss what is VirusTotal and how to useVirusTotal, The No.1 online malware scanning tool for security analysts.
Table of Contents
What is VirusTotal
VirusTotal is a free online service that allows users to analyze files and URLs for the presence of malware, viruses, worms, trojans, and other malicious content. It uses multiple antivirus engines and website scanners to perform the analysis, providing a comprehensive report on the potential security threats associated with a specific file or website.
VirusTotal was created in 2004 by Spanish company Hispasec Sistemas and was later acquired by Google in 2012. The service is widely used by security professionals, researchers, and everyday users to identify and avoid security risks. Users can upload a file or submit a URL to VirusTotal’s website, where it will be scanned and analyzed by multiple antivirus engines. The resulting report will provide details on the findings and an overall verdict on whether the file or URL is safe or malicious.
How to Use VirusTotal? Online Malware Scanning Tool for Security Analysts (SOC Analyst)
VirusTotal is a go-to tool for all security researchers, SOC analysts, etc. We will see how to use the VirusTotal and explore VirusTotal and by exploring all the features available.
How to useVirusTotal?
- Access the VirusTotal website: Open your web browser and navigate to the VirusTotal website at https://www.virustotal.com/.
- Choose your method of scanning:a. File scanning: To scan a file, click on the “Choose file” button or the “File” tab on the homepage. This will open a file explorer window. Locate and select the file you want to analyze, then click “Open” to upload the file to VirusTotal. The maximum file size allowed is 650 MB.b. URL scanning: To scan a URL, click on the “URL” tab on the homepage. Enter the URL you want to analyze in the input field, and then click the “Scan it!” button.
- Wait for the analysis: VirusTotal will now analyze the uploaded file or URL using multiple antivirus engines and website scanners. Depending on the size of the file or the number of engines being used, this process might take a few seconds to several minutes.
- Review the results: Once the analysis is complete, you’ll see a detailed report with the results from each antivirus engine and scanning tool. The report will show whether the file or URL has been flagged as malicious by any of the participating engines. If a significant number of engines detect a threat, it’s likely that the file or URL is indeed malicious.
- Make informed decisions: Based on the results, you can decide whether to proceed with caution, avoid the file or URL, or seek additional information from other sources.
Things Can Be Done With VirusTotal:
VirusTotal offers several features and capabilities to enhance your online security and malware analysis. Here are some things you can do with VirusTotal:
- File scanning: Upload and scan files for potential threats using multiple antivirus engines. This helps identify malicious content before it can harm your device or compromise your data.
- URL scanning: Analyze URLs and websites for potentially malicious content, such as phishing sites or sites hosting malware. This helps you avoid visiting unsafe websites and falling victim to online scams.
- IP address and domain analysis: Check the reputation of an IP address or domain by examining its historical data, detected malicious content, and other information. This can help identify potentially harmful web resources and servers.
- Search and filter: Search for specific files, URLs, domains, or IP addresses within VirusTotal’s vast database. You can filter the results based on various criteria, such as detection rate, file type, or date of submission.
- API access: Integrate VirusTotal’s services into your own applications, scripts, or tools using the VirusTotal API. This allows you to automate scans and analysis, retrieve detailed information, and make use of the platform’s functionality within your own projects.
- Community engagement: Sign up for a free account to participate in the VirusTotal community. You can contribute comments, vote on detections, and share your insights with other users to help improve the platform’s knowledge base and threat detection capabilities.
- VirusTotal Intelligence: A premium feature available to researchers and security professionals, VirusTotal Intelligence provides advanced search capabilities, access to malware samples, and additional tools for in-depth analysis.
- VirusTotal Monitor: A service for software developers that allows them to upload and monitor their files to ensure they are not incorrectly flagged as malicious by antivirus engines. This helps reduce false positives and improve the reputation of legitimate software.
Remember that VirusTotal should be used as a supplementary security measure and not as a replacement for dedicated antivirus software.
Exploring VirisTotal and Its Features:
As a demo, let’s scan a malicious IOC belonging to the Batloader trojan and analyzing the results. We can look up hashes in any commonly used hashing algorithms like MD5, SHA256, etc.
Hash used- 61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc
Exploring the Dashboard
When we do a lookup for the above-provided hash, we will see the above results. We will investigate the details of what all parameters are:
- We can see a detection rate that shows a 34/60 score which means out of the 60 anti-malware tools, 34 engines have tagged that file as malicious.
- This explains that 34 security vendors have tagged that file as malicious.
- The third box represents the last time the file was scanned in the above case. The last scan happened a month ago.
- These symbols show that.
- We can automate this information using API.
- We can request a new scan.
- Graphical representation of the malicious activity done by that file.
- The VirusTotal flagged the hash as Batloader malware.
Exploring Detection Tab
This tab shows which security vendors tagged the file as malicious or clean. In this case, we can see that the file was labeled as a ‘trojan.batloader’ clearly. This tab shows details of which all security vendors have flagged this file as malicious. In the below image, we can see some of the famous security vendors, like Avast, BitDefender, etc., also flagged this file as malicious.
Exploring Details Tab
This tab will provide us with the full details on the file related to the hash. Whatever hash format we are uploading, we can see other hash algorithms, the file type, when the file was first submitted inVirusTotal, the last submission, the last analysis, what all names the file is known as, etc.
Exploring Relations Tab
This tab will show you to which all domains or IPs that file has communicated. This tab also has a very advanced feature of representing the whole attack in a graphical format showcasing every minute detail required.
As you can see, the graph shows us the domains and IPs to which the malicious file has communicated, and it also shows which region these IPs belong to and also provides graphs on the presence of the file reported.
Exploring Behavior Tab
This tab gives more details on the behavior analysis of the malware. Here we can see all MITRE signatures related to the file, IDS rules, and Sigma rules, if any. So, all these details will help in hunting malware within an organization.
Exploring Community tab
This is the tab where we can see all the community contributions. Researchers who observe any further details can give more input and give back to the community.
Domain or IP analysis using VirusTotal
We can search the reputation of any IP or domain inVirusTotal. The process is the same, but let’s see what extra details we can observe while analyzing an IP or domain. I uploaded a malicious IP and domain, and apart from the analysis which we discussed above, we can see ‘who is’ information on the domain. This contains the creation date of the domain, expiry date, registrar details, name server details, etc.
How Can You Contribute to The Society?
We saw all the information available while we looked for an artifact. Now in some cases, the score might be 0, i.e., it is not malicious; however, we cannot conclude that the file is clean. The reason might be that the security vendors haven’t flagged it as malicious yet. In such cases, if we as a researcher are sure that the file is malicious or clean, we can give a vote in the community score. We can also add comments in the community tab section.
VirusTotal Alternatives: Other Online Malware Scanning Tools or Websites like VirusTotal
If you want to know about the alternatives to VirusTotal, there are many.
There are several other online malware scanning tools and websites that offer similar functionality to VirusTotal. Some of the popular alternatives include:
- Jotti’s Malware Scan: Jotti’s Malware Scan is a free service that allows users to scan files with multiple antivirus engines. While it doesn’t have as many engines as VirusTotal, it still provides valuable insights into potential threats.
- MetaDefender Cloud: MetaDefender Cloud is a comprehensive security platform that offers file scanning, vulnerability detection, and data sanitization. Users can scan files with multiple antivirus engines and get detailed information about potential threats.
- Hybrid Analysis: Hybrid Analysis is a free malware analysis service that focuses on in-depth analysis using automated sandboxing technology. Users can submit files for scanning, and the platform provides detailed reports on the behavior of the files, including network activity, file system modifications, and more.
- Any.Run: app.any.run/ is an interactive online malware analysis sandbox that allows users to execute and observe the behavior of files in a controlled environment. This can help identify the presence of malware and understand how it operates.
- Joe Sandbox: Joe Sandbox is an advanced automated malware analysis platform that combines static, dynamic, and behavior-based analysis techniques. Users can submit files for analysis, and the platform generates detailed reports on the observed activities and indicators of compromise.
- Kaspersky VirusDesk: Kaspersky VirusDesk is a free online scanning tool provided by the Kaspersky security company. Users can scan files or URLs for potential threats using Kaspersky’s antivirus engine.
- FortiGuard Online Scanner: FortiGuard Online Scanner is a free service provided by Fortinet that allows users to scan files or URLs for malware and other threats. The service utilizes Fortinet’s FortiGuard antivirus engine.
VirusTotal is a very efficient tool that can provide so many details under one umbrella. The visualization of this tool makes the analysis very easy. There are highly advanced features of this tool that will help in detailed analysis. The graphical representation of the attack will provide an overview, and this information helps in hunting for malicious activity in your environment.
We hope this article helped in exploring VirusTotal and how to use VirusTotal for analysis. Thanks for reading this post. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Frequently Asked Questions:
VirusTotal is an online malware scanning tool that aggregates various antivirus engines and other threat intelligence resources to analyze files and URLs for potential malware, viruses, or other security threats. It is a valuable resource for security analysts, researchers, and IT professionals to detect and analyze malware.
Yes, VirusTotal is free for non-commercial use. However, the platform also offers premium plans with additional features and higher request limits for commercial users and enterprises.
To use VirusTotal to scan a file, follow these steps:
Visit the VirusTotal website at https://www.virustotal.com/.
Click the “Choose File” button under the “File” tab.
Select the file you want to analyze from your computer.
VirusTotal will upload and scan the file using multiple antivirus engines, displaying the results in real-time.
To use VirusTotal to scan a URL, follow these steps:
Visit the VirusTotal website at https://www.virustotal.com/.
Click the “URL” tab.
Enter the URL you want to analyze in the provided field.
Click the “Scan” button.
VirusTotal will analyze the URL using multiple engines and display the results.
5. How do I use VirusTotal to search for an IP address, domain, or hash?
To use VirusTotal to search for an IP address, domain, or hash, follow these steps:
Visit the VirusTotal website at https://www.virustotal.com/.
Click the “Search” tab.
Enter the IP address, domain, or hash you want to search for in the provided field.
Click the “Search” button.
VirusTotal will display the search results, including any related detections or information.
VirusTotal’s scan results are based on the collective intelligence of multiple antivirus engines and other threat intelligence resources. While it provides a comprehensive analysis, no single tool can guarantee 100% accuracy in detecting malware. It is important to use VirusTotal in conjunction with other security tools and best practices to ensure comprehensive protection.
Yes, VirusTotal offers a public API for developers and security analysts to integrate its scanning and analysis capabilities into their own applications, tools, or workflows. The public API is subject to certain usage limitations, but premium plans with higher request limits are available for commercial users and enterprises.
8. How can I stay updated on the latest threats detected by VirusTotal?
You can stay updated on the latest threats detected by VirusTotal by following their official blog, Twitter account, or subscribing to their newsletter. These resources provide regular updates on new malware discoveries, platform updates, and other relevant information for security analysts.
While VirusTotal takes measures to ensure data privacy, uploading highly sensitive files to any online service carries some risks. If you are concerned about the privacy of your data, consider using local antivirus software or other offline security tools to scan and analyze sensitive files.
VirusTotal is a valuable resource for malware analysis and threat intelligence, but it should not be used as a primary antivirus solution. It is designed as a supplementary tool for security analysts and IT professionals, and should be used in conjunction with a robust antivirus software and other security best practices to ensure comprehensive protection.