Answers to common VirusTotal related questions can be found under the topics listed below. Should you have a question that is not present in this FAQ please do not hesitate to contact us with your inquiry. Before asking please make sure it has not been answered in this FAQ or in any of the pertinent VirusTotal documentation sites.
Navigate directly to questions about:
Antivirus file scans
URL scans
VirusTotal API
Including new antivirus solutions and tools in VirusTotal
VirusTotal statistics
Shortcuts
VirusTotal Community
VirusTotal will scan, and detect, if appropriate, any type of binary content, be it a Windows executable, Android APKs, PDFs, images, javascript code, etc. Most of the antivirus companies involved in VirusTotal will have solutions for multiple platform, hence they usually produce detection signatures for any kind of malicious content.
VirusTotal just provides a second opinion on a given file or URL. It is by no means a full-fledged antivirus and we do not want it to be, therefore, VirusTotal is not available for download, it is just a web application.
Having said this, we have built a desktop application that eases the task of uploading files to our multiantivirus scanner, find out more about VirusTotal uploader or check other community alternatives such as PhrozenSoft's VirusTotal Uploader, though we are not responsible for the latter.
128MB for the web and email interfaces, 32MB for the API interface by default. Having said this, should you have a strong and justified need to send big files through the API (even larger than 128MB) you can contact us in order to have access to the big files API call.
Indeed, you may place the file that you wish to scan inside an encrypted ZIP file, VirusTotal will automatically extract the inner file and get it scanned for you, asking you whether you wish to render the report for such inner file. In order to be able to inspect the ZIP file its password must be one of the following: infected, password, test, 1234, virustotal, virus, compressed.
We are very concerned about the privacy of our users and will do everything that is in our hands in order to ensure that privacy is preserved, please use our contact form to inform us about the issue.
VirusTotal provides an email interface and a public API for automating analysis tasks, you can find more information in the VirusTotal documentation site.
VirusTotal makes use of the symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
VirusTotal makes use of the symbol to indicate that the antivirus scanner under consideration timed out when analysing the submitted file. This does not necessarily mean that the antivirus has a problem with the file, as VirusTotal processes files in batches, it just means that at a particular point in time, under certain machine-load circumstances the antivirus did not produce a result for the file in a timely manner.
VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.
VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.
We can, however, help you in combatting false positives. VirusTotal has built an early warning system regarding false positives whereby developers can upload their software to a private store, such software gets scanned on a daily basis with the latest antivirus signatures. Whenever there is a change in the detections of any of your files, you are immediately notified in order to mitigate the false positive as soon as possible.
No. Normally the version displayed in VirusTotal is decided by the company providing the antivirus solution, it does not always follow the same rules as its commercial product. To check if a given antivirus is up-to-date you should have a look at its last update field, this date reveals the last time that a new set of signatures was downloaded for the product.
Each antivirus solution present in VirusTotal makes a signature update infrastructure available to VirusTotal. VirusTotal periodically polls this infrastructure (each 15 minutes) in order to see if there is anything new to download. Therefore, if the last update date for new file scans is old it is because the given antivirus vendor has not released any new signatures for VirusTotal.
The URL scanner will only enqueue for antivirus file scanning those files that are not text or similar formats (HTML, CSV, XML, etc.). Executables, images, music files, etc. will be always enqueued.
Another reason could be that the URL response content could not be retrieved at the time of analysis (due to some network error, because the response content is larger than 32MB in size, etc.).
Very often URL scanners and antivirus engines are independent solutions even though they may belong to the same company, hence, detecting a given URL as malicious does not necessarily mean that the file located at such URL will also be detected, and vice-versa.
Moreover, sometimes the URL might be malicious (e.g. phishing site) but the downloaded file (HTML of the phishing site) may not necessarily be a theat for your computer. Other times, the downloaded file might indeed be flagged by the antivirus signatures but the corresponding URL scanner might still have no knowledge that a given URL is distributing such file.
VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own. As such, if you are experiencing a false positive issue, you should notify the problem to the company producing the erroneous detection, they are the only ones that can fix the issue. Please note that even if we were able to remove the flag, the users of such product would still be blocked from accessing your site.
You do not need to ask for a public API key, in order to get one you just have to register in VirusTotal Community (top right hand side of VirusTotal). Once registered, sign in into your account and you will find your public API in the corresponding menu item under your user name.
Special privileges can be considered for honeypots, honeyclients and other projects providing resources (samples or URLs) to VirusTotal.
VirusTotal also offers a private mass API. This API provides a higher request rate (that can be agreed with the VirusTotal team) and offers far more information and features than the public API. Find out more about the private API.
If any of these alternatives suits your purposes do not hesitate to contact us.
First of all, the private API has an higher request rate. The service is designed as a volume stepped flat rate model.
Secondly, the private API gives you access to much more information than the public API, this information includes (but is not limited to):
In addition to returning more information, the private mass API will allow you to download submitted samples for further research, along with the network traffic captures they generate upon execution and their detailed execution reports.
At the same time, the private mass API has a strict Service License Agreement (SLA) that guarantees availability and readiness of file and URL reports, making it suitable for integration in commercial services and products.
Other advanced queries specific to your needs can also be implemented. If you are interested in the private API do not hesitate to contact us.
The public API request can be fixed by the tuple (api key, IP address). Whenever this is done it is this tuple the one having the 4 requests/minute limitation and not the key on its own. This means that you can include a unique key in the software you have developed and each one of your users (provided they are not sharing their IP address) will experience a different 4 requests/minute limitation. Contact us in order to make your key a shared key, this is a free setting.
When considering API quotas, an API request is not equivalent to an HTTP request. This concept designates a single item lookup in the VirusTotal dataset. Therefore, if you were to make one single batch HTTP request asking for 10 hashes, that would count as 10 API requests. Analogous counting takes place for other items such as URLs, domains or IP addresses.
The process could not be easier, just contact us. We will tell you what we need.
In exchange for providing an antivirus solution you will receive all files submitted to VirusTotal that are not detected by your product and are detected by at least one other antivirus, along with their corresponding VirusTotal reports.
In exchange for allowing us to use a URL analysis engine you will receive the whole feed of URLs submitted to VirusTotal, along with their corresponding VirusTotal reports.
There is a relatively large waiting list for inclusion of antivirus solutions in VirusTotal, be patient. Integration of URL analysis engines is much quicker, so if you are still waiting do not hesitate to contact us.
At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:
These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our blog.
We want to continue improving the statistics section, so do not hesitate to send us your suggestions
There is a specific HTTP GET request to do this, feel free to use this link feature in your sites. The link is as follows:
https://www.virustotal.com/latest-scan/<resource>
Where resource is one of:
Note that this feature is subjected to the same 4 requests/minute limitation as the public API and search feature.
There are two main ways of gaining reputation credits:
Whenever you vote a file or URL as harmless or malicious a mathematical function is applied to your reputation and the result of this function is added as reputation points to the file's maliciousness index. The overall file score may be used by other users as an additional indicator on the nature of the file in addition to the antivirus results. The number of votes in one sense or another also serve the same purpose.