Pages

Tuesday, July 31, 2012

VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.


VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
No file selectedChoose File
Maximum file size: 32MB
You may prefer to scan a URL or search through the VirusTotal dataset

What is VirusTotal

VirusTotal is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.
VirusTotal’s mission is to help in improving the antivirus and security industryand make the internet a safer place through the development of free tools and services.
VirusTotal's main characteristics are highlighted below.
Free independent service
VirusTotal is offered freely to end users as long as its use has no commercial purpose and does not become part of any business activity. Even though the service is made up of engines belonging to different enterprises and organizations, VirusTotal is completely independent from these partners, we do not distribute or advertise any products belonging to third parties, we simply act as aggregators of information. This characteristic prevents us from being subjected to any kind of bias and allows us to offer an objective service to our users.
Runs multiple antivirus engines and website scanners
VirusTotal simply acts as an information aggregator, the aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions. The full list of antivirus solutions and website scanners used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Runs multiple file and URL characterization tools
As previously stated, VirusTotal also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software. The full list of file and URL characterization tools used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Real time updates of virus signatures and blacklists
The malware signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by the antivirus companies. The update polling frequency is 15 minutes, this makes sure that the products are using the latest signature sets.
Website scanning is done via API queries to the different companies providing the particular solution, hence, the most updated version of their dataset is always used.
Detailed results from each scanner
VirusTotal does not only tell you whether a given antivirus solution detected a submitted file, it also displays the exact detection label returned by each engine (e.g. I-Worm.Allaple.gen).
This feature is also present in URL scanners, most of them will discriminate malware sites, phishing sites, suspicious sites, etc. Moreover, some of the engines will provide additional information explicitly stating whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, etc.
Real time global service operation statistics
Information about the number of resources (files and URLs) processed by VirusTotal can be found in the statistics section. These statistics provide a number of notions and groupings such as global detection ratios for the received files, submissions per country, most popular detection labels, etc. No statistics comparing the different antivirus products and website detection engines are generated neither will they be ever generated (on a public or private basis), even though their calculation is trivial, the reason behind this is that using VirusTotal for antivirus testing is a bad idea.
Automation API
File and URL scanning can be automated with a free public API. For obvious reasons (including prevention of competition with the antivirus products present in VirusTotal), the public API is subjected to a strong request rate limitation. Should a user require a higher request rate, a honeypot API is available for researchers and a private mass API is offered to individuals with commercial and product enhancement intentions. A detailed specification of the different APIs can be found in the advanced features section.
Online malware research community
In August 2010 VirusTotal integrated a pseudo-social network that allows its users to interact with other users and comment on files and URLs. These comments may range from deep malware analyses to information on the distribution vector and in-the-wild locations of the submitted files, hence, the community acts as the collective intelligence component of VirusTotal. Files and URLs can be voted as malicious or innoquous, building a community maliciousness score for the resource.
In other words, when security products fail (false positives/false negatives), there is still a chance that some VirusTotal Community user will have produced a useful review of the resource for its community peers.
Desktop applications for interacting with the service
With the aim of making the Internet a safer place VirusTotal's team has released a number of desktop applications and tools for interacting with the service (one-click file uploader, browser extensions, etc.). Many VirusTotal's users have also developed their own applications and have made them publicly available on the Internet. More information about these resources can be found in the advanced features section.

Governing principle

The most important rule governing VirusTotal's usage is that none of its publicly offered services/applications should be used in commercial products, commercial services or for any commercial purpose. In the same way, none of the services should be used as a substitute for security products. This is particularly critical and of utmost importance when dealing with the public API.
Additionally, as stated in the Terms of Service and Privacy Policy, when using VirusTotal the user explicily commits to:
  • Not use the services, products, content and/or tools that VirusTotal has made available, for illegal purposes or purposes expressly prohibited by the Terms of Service or the effects of which may infringe upon the rights or interests of VirusTotal or third-parties.
  • Abstain from any activity that could damage, overload, harm or impede the normal functioning of VirusTotal's websites. Similarly, and in accordance with applicable legislation, the user undertakes to refrain from illicitly or fraudulently obtaining site contents or stealing or plagiarising said contents.
  • Not to use the products, services, contents or tools for illicit purposes, or for any end which could hinder VirusTotal in any way.
  • Not to use the products, services, contents or tools in any way that could harm the antivirus industry/URL scanner industry, whether it is directly or indirectly.

How to send a file

A number of file submission methods are available in VirusTotal.
Web
Any user can select a file from his PC using his browser and send it to VirusTotal. The web interface has the highest scanning priority among the publicly available submission methods. Go to the main file scanning form.
VirusTotal Uploader
This is a Windows desktop application for sending files to VirusTotal with just two mouse clicks. It makes use of the public web interface form in its code, thus, it also has the highest scanning priority. Download VirusTotal Uploader.
Email
Lets you upload files via email and receive the scan results in your mailbox. The files are uploaded as email attachments and the results can be received either in plain text or XML. This interface has the lowest priority among the publicly available submission methods. Read more about email submissions.
Public API
Submissions may be scripted in any programming language using the HTTP based public API. The API has the second highest priority among the publicly available submission methods.

How to send a URL

As with files, URLs can be submitted via different means, these are detailed below:
Web
Any user can type a URL in his browser and send it to VirusTotal. The web interface has the highest scanning priority among the publicly available submission methods. Go to the main URL submission form.
VirusTotal's Browser Extension
VirusTotal's Browser Extension make use of the public web interface form in their code, thus, they also have the highest scanning priority. Download the appropriate VirusTotal Browser Extension for your browser.
Public API
URL submissions may be scripted in any programming language using the HTTP based public API. The API has the second highest priority among the publicly available submission methods.
Unlike file submissions, there is no email interface to support sending of URLs.

Important notes and remarks

VirusTotal: second opinion, not a product substitute
VirusTotal is not a substitute for any antivirus/secruity software installed in a PC, since it only scans individual files/URLs on demand. It does not offer permanent protection for users' systems either. At VirusTotal we think of our service as a second opinion regarding the maliciousness of your files/URLs.
Although the detection ratio achieved by the use of multiple antivirus engines/URL scanners is far superior than that offered by just one product, these results DO NOT guarantee the harmlessness of a file/URL. Moreover, the aggregate amount of false positives of multiple solutions is higher than that of any individual scanner.
Currently, there is no solution that offers 100% effectiveness in detecting viruses, malware and malicious URLs. You may become a victim of deceitful advertising, if you buy such a product under those premises.
Ethical and non-commercial use is a must
None of the services or applications publicly offered on this site should be used in commercial products, commercial services or for any business purpose. In the same way, none of the services should be used as a substitute for security products.
Similarly, VirusTotal should not be used in any way for unethical/malicious purposes.
More information on VirusTotal's usage terms can be found in the Terms of Service and Privacy Policy section.
BAD IDEA: VirusTotal for antivirus/URL scanner testing
At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:
  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.
These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our old blog. The Prevx team also made an entry in their blogdiscussing the matter.
False positives
Very often antivirus solutions and URL scanners will produce false positives, i.e. detect as malicious inoquous files and URLs. These erroneous detections may severely hinder the business activity/popularity of third party products (e.g. refrain access to a given site, disuade users from downloading and installing a given application, etc.).
VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use off. False positives should be dealt with the developer/company that offers the product generating the erroneous detection. Links to the sites of the developers/companies of all products/tools used used in VirusTotal can be found in the credits and collaboration acknowledgementssection.
Having said this, VirusTotal does offer a premium file detection monitoring service (VirusTotal Monitor) that acts as an early warning system about false positives. Files submitted to your premium account are periodically scanned with antivirus' latest signature sets, informing you immediately whenever any product flags any of your files as malicious. Should you be interested in receiving more information on this service do not hesitate to contact us.
VirusTotal and confidentiality
Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products. We do this because we believe it will eventually lead to a safer Internet and better end-user protection.
By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Additionally, all files and URLs enter a private store that may be accessed by premium (mainly security/antimalware companies/organizations) VirusTotal users so as to improve their security products and services.

No comments:

Post a Comment