LiquidLayer.net | Tech

VirusTotal | Analyzes Files and URLs743

LiquidLayer private msg quote post Address this user
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

https://www.virustotal.com

https://www.virustotal.com/en/about/

What is VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.

VirusTotal's main characteristics are highlighted below.
Free unbiased service

VirusTotal, is offered freely to end users as long as its use has no commercial purpose and does not become part of any business activity. Even though the service works with engines belonging to different enterprises and organizations, VirusTotal does not distribute or advertise any products belonging to third parties, but simply acts as an aggregator of information. This prevents us from being subjected to any kind of bias and allows us to offer an objective service to our users.
Runs multiple antivirus engines and website scanners

VirusTotal simply acts as an information aggregator. The aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions. The full list of antivirus solutions and website scanners used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Runs multiple file and URL characterization tools

As previously stated, VirusTotal also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software. The full list of file and URL characterization tools used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Real time updates of virus signatures and blacklists

The malware signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by the antivirus companies. The update polling frequency is 15 minutes—this makes sure that the products are using the latest signature sets.

Website scanning is done via API queries to the different companies providing the particular solution, hence, the most updated version of their dataset is always used.
Detailed results from each scanner

VirusTotal not only tells you whether a given antivirus solution detected a submitted file, but also displays the exact detection label returned by each engine (e.g. I-Worm.Allaple.gen).

This feature is also present in URL scanners. Most of them will discriminate malware sites, phishing sites, suspicious sites, etc. Moreover, some of the engines will provide additional information explicitly stating whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, etc.
Real time global service operation statistics

Information about the number of resources (files and URLs) processed by VirusTotal can be found in the statistics section. These statistics provide a number of notions and groupings, such as global detection ratios for the received files, submissions per country, most popular detection labels, etc. No statistics comparing the different antivirus products and website detection engines are generated—neither will they ever be generated (on a public or private basis), even though their calculation is trivial. The reason is that using VirusTotal for antivirus testing is a bad idea.
Automation API

File and URL scanning can be automated with a free public API. For obvious reasons (including prevention of competition with the antivirus products present in VirusTotal), the public API is subjected to a strong request rate limitation. Should a user require a higher request rate, a honeypot API is available for researchers and a private mass API is offered to individuals with commercial and product enhancement intentions. A detailed specification of the different APIs can be found in the advanced features section.
Online malware research community

In August 2010 VirusTotal integrated a pseudo-social network that allows its users to interact with other users and comment on files and URLs. These comments may range from deep malware analyses to information on the distribution vector and in-the-wild locations of the submitted files, hence, the community acts as the collective intelligence component of VirusTotal. Files and URLs can be voted as malicious or innocuous, building a community maliciousness score for the resource.

In other words, when security products fail (false positives/false negatives), there is still a chance that some VirusTotal Community user will have produced a useful review of the resource for its community peers.
Desktop applications for interacting with the service

With the aim of making the Internet a safer place VirusTotal's team has released a number of desktop applications and tools for interacting with the service (one-click file uploader, browser extensions, etc.). Many of VirusTotal's users have also developed their own applications and have made them publicly available on the Internet. More information about these resources can be found in the advanced features section.
Governing principle

The most important rule governing VirusTotal's usage is that none of its publicly offered services/applications should be used in commercial products, commercial services or for any commercial purpose. In the same way, none of the services should be used as a substitute for security products. This is particularly critical and of utmost importance when dealing with the public API.

Additionally, as stated in the Terms of Service and Privacy Policy, when using VirusTotal the user explicily commits to:

Not use the services, products, content and/or tools that VirusTotal has made available,for illegal purposes or purposes expressly prohibited by the Terms of Service or the effectsof which may infringe upon the rights or interests of VirusTotal or third-parties.
Abstain from any activity that could damage, overload, harm or impede the normal functioning of VirusTotal's websites. Similarly, and in accordance with applicable legislation, the user undertakes to refrain from illicitly or fraudulently obtaining site contents or stealing or plagiarising said contents.
Not to use the products, services, contents or tools for illicit purposes, or for any end which could hinder VirusTotal in any way.
Not to use the products, services, contents or tools in any way that could harm the antivirus industry/URL scanner industry, whether it is directly or indirectly.

How to send a file

A number of file submission methods are available in VirusTotal.

Web
Any user can select a file from their PC using their browser and send it to VirusTotal. The web interface has the highest scanning priority among the publicly available submission methods. Go to the main file scanning form.
VirusTotal Uploader
This is a Windows desktop application for sending files to VirusTotal with just two mouse clicks. It makes use of the public web interface form in its code, thus, it also has the highest scanning priority. Download VirusTotal Uploader.
Email
Lets you upload files via email and receive the scan results in your mailbox. The files are uploaded as email attachments and the results can be received either in plain text or XML. This interface has the lowest priority among the publicly available submission methods. Read more about email submissions.
Public API
Submissions may be scripted in any programming language using the HTTP based public API . The API has the second highest priority among the publicly available submission methods.

How to send a URL

As with files, URLs can be submitted via different means, these are detailed below:

Web
Any user can type a URL in a browser and send it to VirusTotal. The web interface has the highest scanning priority among the publicly available submission methods. Go to the main URL submission form.
VirusTotal's Browser Extension
VirusTotal's Browser Extension make use of the public web interface form in their code, thus, they also have the highest scanning priority. Download the appropriate VirusTotal Browser Extension for your browser.
Public API
URL submissions may be scripted in any programming language using the HTTP based public API. The API has the second highest priority among the publicly available submission methods.

Unlike file submissions, there is no email interface to support sending of URLs.
Important notes and remarks
VirusTotal: second opinion, not a product substitute

VirusTotal is not a substitute for any antivirus/security software installed in a PC, since it only scans individual files/URLs on demand. It does not offer permanent protection forusers' systems either. At VirusTotal we think of our service as a second opinion regarding the maliciousness of your files/URLs.

Although the detection ratio achieved by the use of multiple antivirus engines/URL scanners is far superior than that offered by just one product, these results DO NOT guarantee the harmlessness of a file/URL. Moreover, the aggregate amount of false positives of multiple solutions is higher than that of any individual scanner.

Currently, there is no solution that offers 100% effectiveness in detecting viruses, malware and malicious URLs. You may become a victim of deceitful advertising, if you buy such a product under those premises.
Ethical and non-commercial use is a must

None of the services or applications publicly offered on this site should be used in commercial products, commercial services or for any business purpose. In the same way, none of the services should be used as a substitute for security products.

Similarly, VirusTotal should not be used in any way for unethical/malicious purposes.

More information on VirusTotal's usage terms can be found in the Terms of Service and Privacy Policy section.
BAD IDEA: VirusTotal for antivirus/URL scannertesting

At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:

VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea.
False positives

Very often antivirus solutions and URL scanners will produce false positives, i.e. detect as malicious innocuous files and URLs. These erroneous detections may severely hinder the business activity/popularity of third party products (e.g. refrain access to a given site, disuade users from downloading and installing a given application, etc.).

VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use of. False positives should be dealt with the developer/company that offers the product generating the erroneous detection. Links to the sites of the developers/companies of all products/tools used used in VirusTotal can be found in the credits and collaboration acknowledgements section.

Having said this, VirusTotal does offer a premium file detection monitoring service (VirusTotal Monitor) that acts as an early warning system about false positives. Files submitted to your premium account are periodically scanned with antivirus' latest signature sets, informing you immediately whenever any product flags any of your files as malicious. Should you be interested in receiving more information on this service do not hesitate to contact us.
VirusTotal and confidentiality

Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products. We do this because we believe it will eventually lead to a safer Internet and better end-user protection.

By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Additionally, all files and URLs enter a private store that may be accessed by premium (mainly security/antimalware companies/organizations) VirusTotal users so as to improve their security products and services.

Rotarua Limited (d.b.a. VirusTotal)
3rd Floor Gordon House, Barrow Street.
Dublin (D4)
Ireland

Email: contact@virustotal.com

____________________________________________________________

Business Grade Web Hosting for the cost of Starbucks Coffee

Liquid Layer Networks | Performance Cloud Web Hosting
http://www.LiquidLayer.net
Post 1 IP   flag post
LiquidLayer private msg quote post Address this user
Frequently Asked Questions

https://www.virustotal.com/en/faq/

Answers to common VirusTotal related questions can be found under the topics listed below. Should you have a question that is not present in this FAQ please do not hesitate to contact us with your inquiry. Before asking please make sure it has not been answered in this FAQ or in any of the pertinent VirusTotal documentation sites.

Navigate directly to questions about:

Antivirus file scans
URL scans
VirusTotal API
Including new antivirus solutions and tools in VirusTotal
VirusTotal statistics
VirusTotal site translations
Shortcuts
VirusTotal Community
Antivirus file scans
What kind of files will VirusTotal scan?

VirusTotal will scan, and detect, if appropriate, any type of binary content, be it a Windows executable, Android APKs, PDFs, images, javascript code, etc. Most of the antivirus companies involved in VirusTotal will have solutions for multiple platform, hence they usually produce detection signatures for any kind of malicious content.
I want to scan my entire system, where can I download VirusTotal?

VirusTotal just provides a second opinion on a given file or URL. It is by no means a full-fledged antivirus and we do not want it to be, therefore, VirusTotal is not available for download, it is just a web application.

Having said this, we have built a desktop application that eases the task of uploading files to our multiantivirus scanner, find out more about VirusTotal uploader or check other community alternatives such as PhrozenSoft VirusTotal Uploader, though we are not responsible for the latter.
What is the maximum file size that can be submitted to VirusTotal?

128MB for the web and email interfaces, 32MB for the API interface by default. Having said this, should you have a strong and justified need to send big files through the API (even larger than 128MB) you can contact us in order to have access to the big files API call.
My network/system blocks malware uploads, can I upload encrypted compressed files in order to avoid this restriction?

Indeed, you may place the file that you wish to scan inside an encrypted ZIP file, VirusTotal will automatically extract the inner file and get it scanned for you, asking you whether you wish to render the report for such inner file. In order to be able to inspect the ZIP file its password must be one of the following: infected, password, test, 1234, virustotal, virus, compressed.
I have inadvertently uploaded a file with confidential or sensitive information to VirusTotal, can you please delete it?

We are very concerned about the privacy of our users and will do everything that is in our hands in order to ensure that privacy is preserved, please use our contact form to inform us about the issue.
I want to automate scans, what should I do?

VirusTotal provides an email interface and a public API for automating analysis tasks, you can find more information in the VirusTotal documentation site.
The antivirus result displays a green circle with a white tick mark, what does this mean?

VirusTotal makes use of the symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
The antivirus result displays a grey clock, what does this mean?

VirusTotal makes use of the symbol to indicate that the antivirus scanner under consideration timed out when analysing the submitted file. This does not necessarily mean that the antivirus has a problem with the file, as VirusTotal processes files in batches, it just means that at a particular point in time, under certain machine-load circumstances the antivirus did not produce a result for the file in a timely manner.
A given antivirus in VirusTotal detects a file and its equivalent commercial version does not

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.
VirusTotal is detecting a legitimate software I have developed, please remove the detections

VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.

We can, however, help you in combatting false positives. VirusTotal has built an early warning system regarding false positives whereby developers can upload their software to a private store, such software gets scanned on a daily basis with the latest antivirus signatures. Whenever there is a change in the detections of any of your files, you are immediately notified in order to mitigate the false positive as soon as possible.
The version information of a given antivirus is not coherent with its latest commercial product, is it out of date?

No. Normally the version displayed in VirusTotal is decided by the company providing the antivirus solution, it does not always follow the same rules as its commercial product. To check if a given antivirus is up-to-date you should have a look at its last update field, this date reveals the last time that a new set of signatures was downloaded for the product.
Some engines have relatively old last update dates, please update the antivirus signature set

Each antivirus solution present in VirusTotal makes a signature update infrastructure available to VirusTotal. VirusTotal periodically polls this infrastructure (each 15 minutes) in order to see if there is anything new to download. Therefore, if the last update date for new file scans is old it is because the given antivirus vendor has not released any new signatures for VirusTotal.
URL scans
I asked for a URL scan but the file located at the given URL was not enqueued for antivirus scanning

The URL scanner will only enqueue for antivirus file scanning those files that are not text or similar formats (HTML, CSV, XML, etc.). Executables, images, music files, etc. will be always enqueued.

Another reason could be that the URL response content could not be retrieved at the time of analysis (due to some network error, because the response content is larger than 32MB in size, etc.).
Some URL scanner detects a given URL but its corresponding antivirus solution does not detect the downloaded file, or vice-versa

Very often URL scanners and antivirus engines are independent solutions even though they may belong to the same company, hence, detecting a given URL as malicious does not necessarily mean that the file located at such URL will also be detected, and vice-versa.

Moreover, sometimes the URL might be malicious (e.g. phishing site) but the downloaded file (HTML of the phishing site) may not necessarily be a theat for your computer. Other times, the downloaded file might indeed be flagged by the antivirus signatures but the corresponding URL scanner might still have no knowledge that a given URL is distributing such file.
I am experiencing a false positive, my site should not be detected.

VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own. As such, if you are experiencing a false positive issue, you should notify the problem to the company producing the erroneous detection, they are the only ones that can fix the issue. Please note that even if we were able to remove the flag, the users of such product would still be blocked from accessing your site.
VirusTotal API
Please give me an API key

You do not need to ask for a public API key, in order to get one you just have to register in VirusTotal Community (top right hand side of VirusTotal). Once registered, sign in into your account and you will find your public API in the corresponding menu item under your user name.
The 4 requests/minute limitation of the Public API is too low for me, how can I have access to a higher quota?

Special privileges can be considered for honeypots, honeyclients and other projects providing resources (samples or URLs) to VirusTotal.

VirusTotal also offers a private mass API. This API provides a higher request rate (that can be agreed with the VirusTotal team) and offers far more information and features than the public API. Find out more about the private API.

If any of these alternatives suits your purposes do not hesitate to contact us.
What is the difference between the public API and the private API?

First of all, the private API has an unlimited request rate. The service is designed as a volume stepped flat rate model.

Secondly, the private API gives you access to much more information than the public API, this information includes (but is not limited to):

All reports on a given sample or URL, not only the most recent one.
File and URL information provided by tools integrated in VirusTotal (PEinfo, PEiD, ExifTool, packers, sandbox links, sigcheck, etc.).
Behavioural execution information.
Metadata provided by VirusTotal: number of submissions, submissions vs. datetime, country of the sender of a given file, file names with which a sample has been submitted, first and last times a sample was seen, etc.
Goodware information: whether a given hash is goodware or not, products in which the file is found.
Property to sample queries: reverse searches such as "give me all samples that are detected with the following signature", "give me all samples that are detected by more than 10 engines", "give me all samples that contain a given PE section with the following hash", etc. these queries can be combined to build complex requests.
YARA notifications on the samples received at VirusTotal.

In addition to returning more information, the private mass API will allow you to download submitted samples for further research, along with the network traffic captures they generate upon execution and their detailed execution reports.

At the same time, the private mass API has a strict Service License Agreement (SLA) that guarantees availability and readiness of file and URL reports, making it suitable for integration in commercial services and products.

Other advanced queries specific to your needs can also be implemented. If you are interested in the private API do not hesitate to contact us.
I integrated the public API in free software, the default request rate is too low to attend all my users

The public API request can be fixed by the tuple (api key, IP address). Whenever this is done it is this tuple the one having the 4 requests/minute limitation and not the key on its own. This means that you can include a unique key in the software you have developed and each one of your users (provided they are not sharing their IP address) will experience a different 4 requests/minute limitation. Contact us in order to make your key a shared key, this is a free setting.
What do you consider an API request?

When considering API quotas, an API request is not equivalent to an HTTP request. This concept designates a single item lookup in the VirusTotal dataset. Therefore, if you were to make one single batch HTTP request asking for 10 hashes, that would count as 10 API requests. Analogous counting takes place for other items such as URLs, domains or IP addresses.
Including new antivirus solutions and tools in VirusTotal
I would like to include my antivirus product/URL analysis engine in VirusTotal, what should I do?

The process could not be easier, just contact us. We will tell you what we need.

In exchange for providing an antivirus solution you will receive all files submitted to VirusTotal that are not detected by your product and are detected by at least one other antivirus, along with their corresponding VirusTotal reports.

In exchange for allowing us to use a URL analysis engine you will receive the whole feed of URLs submitted to VirusTotal, along with their corresponding VirusTotal reports.
I requested the inclusion of my antivirus solution in VirusTotal some time ago and it has not been integrated yet

There is a relatively large waiting list for inclusion of antivirus solutions in VirusTotal, be patient. Integration of URL analysis engines is much quicker, so if you are still waiting do not hesitate to contact us.
VirusTotal statistics
Why do not you include statistics comparing antivirus performance?

At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:

VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our blog.
I want to suggest some other data correlation that would be very interesting to display

We want to continue improving the statistics section, so do not hesitate to send us your suggestions
VirusTotal site translations
Please translate the site to my language

Our aim is to have VirusTotal translated to as many languages as possible, however, we need some time to be able to do it, please be patient. To speed up this process you might want to consideer volunteering in order to translate VirusTotal to your language, keep reading.
I want to translate VirusTotal to my language, what should I do?

The first step is to contact us and specify the target language. Once the request has been approved we will give you access to our translation application and you will be able to start building VirusTotal in your language.
Shortcuts
How can I link to the most recent report on a given file or URL?

There is a specific HTTP GET request to do this, feel free to use this link feature in your sites. The link is as follows:

"https://www.virustotal.com/latest-scan/<resource>"

Where resource is one of:

The MD5 of a given file that was scanned by VirusTotal.
The SHA1 of a given file that was scanned by VirusTotal.
The SHA256 of a given file that was scanned by VirusTotal.
A URL that was scanned by VirusTotal.

Note that this feature is subjected to the same 4 requests/minute limitation as the public API and search feature.
VirusTotal Community
How can I increase my VirusTotal Community reputation?

There are two main ways of gaining reputation credits:

Become trusted: each time a VirusTotal Community member trusts you, you are automatically added 10% of his current reputation.
Produce high quality sample and URL comments: if you post interesting comments on samples and URLs other users may vote your comment as useful, whenever this happens you are added 3 reputation points. Moreover, your comments might be read by a VirusTotal team member and he might decide to boost your reputation.

Why should I vote a file or URL as harmless or malicious?

Whenever you vote a file or URL as harmless or malicious a mathematical function is applied to your reputation and the result of this function is added as reputation points to the file's maliciousness index. The overall file score may be used by other users as an additional indicator on the nature of the file in addition to the antivirus results. The number of votes in one sense or another also serve the same purpose.
Post 2 IP   flag post
1087 2 2
Log in or sign up to compose a reply.