VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.
VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.
VirusTotal's main characteristics are highlighted below.
VirusTotal, is offered freely to end users as long as its use has no commercial purpose and does not become part of any business activity. Even though the service works with engines belonging to different enterprises and organizations, VirusTotal does not distribute or advertise any products belonging to third parties, but simply acts as an aggregator of information. This prevents us from being subjected to any kind of bias and allows us to offer an objective service to our users.
VirusTotal simply acts as an information aggregator. The aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions. The full list of antivirus solutions and website scanners used in VirusTotal can be found in the credits and collaboration acknowledgements section.
As previously stated, VirusTotal also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software. The full list of file and URL characterization tools used in VirusTotal can be found in the credits and collaboration acknowledgements section.
The malware signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by the antivirus companies. The update polling frequency is 15 minutes—this makes sure that the products are using the latest signature sets.
Website scanning is done via API queries to the different companies providing the particular solution, hence, the most updated version of their dataset is always used.
VirusTotal not only tells you whether a given antivirus solution detected a submitted file, but also displays the exact detection label returned by each engine (e.g. I-Worm.Allaple.gen).
This feature is also present in URL scanners. Most of them will discriminate malware sites, phishing sites, suspicious sites, etc. Moreover, some of the engines will provide additional information explicitly stating whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, etc.
Information about the number of resources (files and URLs) processed by VirusTotal can be found in the statistics section. These statistics provide a number of notions and groupings, such as global detection ratios for the received files, submissions per country, most popular detection labels, etc. No statistics comparing the different antivirus products and website detection engines are generated—neither will they ever be generated (on a public or private basis), even though their calculation is trivial. The reason is that using VirusTotal for antivirus testing is a bad idea.
File and URL scanning can be automated with a free public API. For obvious reasons (including prevention of competition with the antivirus products present in VirusTotal), the public API is subjected to a strong request rate limitation. Should a user require a higher request rate, a honeypot API is available for researchers and a private mass API is offered to individuals with commercial and product enhancement intentions. A detailed specification of the different APIs can be found in the advanced features section.
In August 2010 VirusTotal integrated a pseudo-social network that allows its users to interact with other users and comment on files and URLs. These comments may range from deep malware analyses to information on the distribution vector and in-the-wild locations of the submitted files, hence, the community acts as the collective intelligence component of VirusTotal. Files and URLs can be voted as malicious or innocuous, building a community maliciousness score for the resource.
In other words, when security products fail (false positives/false negatives), there is still a chance that some VirusTotal Community user will have produced a useful review of the resource for its community peers.
With the aim of making the Internet a safer place VirusTotal's team has released a number of desktop applications and tools for interacting with the service (one-click file uploader, browser extensions, etc.). Many of VirusTotal's users have also developed their own applications and have made them publicly available on the Internet. More information about these resources can be found in the advanced features section.
The most important rule governing VirusTotal's usage is that none of its publicly offered services/applications should be used in commercial products, commercial services or for any commercial purpose. In the same way, none of the services should be used as a substitute for security products. This is particularly critical and of utmost importance when dealing with the public API.
A number of file submission methods are available in VirusTotal.
As with files, URLs can be submitted via different means, these are detailed below:
Unlike file submissions, there is no email interface to support sending of URLs.
VirusTotal is not a substitute for any antivirus/security software installed in a PC, since it only scans individual files/URLs on demand. It does not offer permanent protection forusers' systems either. At VirusTotal we think of our service as a second opinion regarding the maliciousness of your files/URLs.
Although the detection ratio achieved by the use of multiple antivirus engines/URL scanners is far superior than that offered by just one product, these results DO NOT guarantee the harmlessness of a file/URL. Moreover, the aggregate amount of false positives of multiple solutions is higher than that of any individual scanner.
Currently, there is no solution that offers 100% effectiveness in detecting viruses, malware and malicious URLs. You may become a victim of deceitful advertising, if you buy such a product under those premises.
None of the services or applications publicly offered on this site should be used in commercial products, commercial services or for any business purpose. In the same way, none of the services should be used as a substitute for security products.
Similarly, VirusTotal should not be used in any way for unethical/malicious purposes.
At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:
These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea. The Prevx team also made an entry in their blog discussing the matter.
Very often antivirus solutions and URL scanners will produce false positives, i.e. detect as malicious inoquous files and URLs. These erroneous detections may severely hinder the business activity/popularity of third party products (e.g. refrain access to a given site, disuade users from downloading and installing a given application, etc.).
VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use off. False positives should be dealt with the developer/company that offers the product generating the erroneous detection. Links to the sites of the developers/companies of all products/tools used used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Having said this, VirusTotal does offer a premium file detection monitoring service (VirusTotal Monitor) that acts as an early warning system about false positives. Files submitted to your premium account are periodically scanned with antivirus' latest signature sets, informing you immediately whenever any product flags any of your files as malicious. Should you be interested in receiving more information on this service do not hesitate to contact us.
Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products. We do this because we believe it will eventually lead to a safer Internet and better end-user protection.
By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Additionally, all files and URLs enter a private store that may be accessed by premium (mainly security/antimalware companies/organizations) VirusTotal users so as to improve their security products and services.
Enter the email address associated to your VirusTotal Community account and we'll send you a message so you can setup a new password.
Interact with other VirusTotal users and have an active voice when fighting today's Internet threats. Find out more about VirusTotal Community.