How it works

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API.

As with files, URLs can be submitted via several different means including the VirusTotal webpage, browser extensions and the API.

Upon submitting a file or URL basic results are shared with the submitter, and also between the examining partners, who use results to improve their own systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you are contributing to raise the global IT security level.

This core analysis is also the basis for several other features, including the VirusTotal Community: a network that allows users to comment on files and URLs and share notes with each other. VirusTotal can be useful in detecting malicious content and also in identifying false positives -- normal and harmless items detected as malicious by one or more scanners.

Free and unbiased

VirusTotal is free to end users for non-commercial use in accordance with our Terms of Service. Though we work with engines belonging to many different organizations, VirusTotal does not distribute or promote any of those third-party engines. We simply act as an aggregator of information. This allows us to offer an objective and unbiased service to our users.

Many contributors

VirusTotal's aggregated data is the output of many different antivirus engines, website scanners, file and URL analysis tools, and user contributions. The file and URL characterization tools we aggregate cover a wide range of purposes: heuristic engines, known-bad signatures, metadata extraction, identification of malicious signals, etc.

Raising the global IT security level through sharing

Scanning reports produced by VirusTotal are shared with the public VirusTotal community. Users can contribute comments and vote on whether particular content is harmful. In this way, users help to deepen the community’s collective understanding of potentially harmful content and identify false positives (i.e. harmless items detected as malicious by one or more scanners).

The contents of submitted files or pages may also be shared with premium VirusTotal customers. The file corpus created in VirusTotal provides cybersecurity professionals and security product developers valuable insights into the behaviors of emerging cyber threats and malware. Through our premium services commercial offering, VirusTotal provides qualified customers and anti-virus partners with tools to perform complex criteria-based searches to identify and access harmful files samples for further study. This helps organizations discover and analyze new threats and fashion new mitigations and defenses.

Real-time updates

Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.

Website scanning is done in some cases by querying vendor databases that have been shared with VirusTotal and stored on our premises, and in other cases by API queries to an antivirus company's solution. As such, as soon as a given contributor blocklists a URL it is immediately reflected in user-facing verdicts.

Detailed results

VirusTotal not only tells you whether a given antivirus solution detected a submitted file as malicious, but also displays each engine's detection label (e.g., I-Worm.Allaple.gen). The same is true for URL scanners, most of which will discriminate between malware sites, phishing sites, suspicious sites, etc. Some engines will provide additional information, stating explicitly whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, and so on.