× Cookies are disabled! This site requires cookies to be enabled to work properly

Answers to common VirusTotal related questions can be found under the topics listed below. Should you have a question that is not present in this FAQ please do not hesitate to contact us with your inquiry. Before asking please make sure it has not been answered in this FAQ or in any of the pertinent VirusTotal documentation sites.

Navigate directly to questions about:

Antivirus file scans
URL scans
VirusTotal API
Including new antivirus solutions and tools in VirusTotal
VirusTotal statistics
VirusTotal site translations
Shortcuts
VirusTotal Community

Antivirus file scans

What kind of files will VirusTotal scan?

VirusTotal will scan, and detect, if appropriate, any type of binary content, be it a Windows executable, Android APKs, PDFs, images, javascript code, etc. Most of the antivirus companies involved in VirusTotal will have solutions for multiple platform, hence they usually produce detection signatures for any kind of malicious content.

I want to scan my entire system, where can I download VirusTotal?

VirusTotal just provides a second opinion on a given file or URL. It is by no means a full-fledged antivirus and we do not want it to be, therefore, VirusTotal is not available for download, it is just a web application.

Having said this, we have built a desktop application that eases the task of uploading files to our multiantivirus scanner, find out more about VirusTotal uploader or check other community alternatives such as PhrozenSoft VirusTotal Uploader, though we are not responsible for the latter.

What is the maximum file size that can be submitted to VirusTotal?

64MB for the web and email interfaces, 32MB for the API interface by default. Having said this, should you have a strong and justified need to send big files through the API (even larger than 64MB) you can contact us in order to have access to the big files API call.

I have inadvertently uploaded a file with confidential or sensitive information to VirusTotal, can you please delete it?

We are very concerned about the privacy of our users and will do everything that is in our hands in order to ensure that privacy is preserved, please use our contact form to inform us about the issue.

I want to automate scans, what should I do?

VirusTotal provides an email interface and a public API for automating analysis tasks, you can find more information in the VirusTotal documentation site.

The antivirus result displays a green circle with a white tick mark, what does this mean?

VirusTotal makes use of the symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.

The antivirus result displays a grey clock, what does this mean?

VirusTotal makes use of the symbol to indicate that the antivirus scanner under consideration timed out when analysing the submitted file. This does not necessarily mean that the antivirus has a problem with the file, as VirusTotal processes files in batches, it just means that at a particular point in time, under certain machine-load circumstances the antivirus did not produce a result for the file in a timely manner.

A given antivirus in VirusTotal detects a file and its equivalent commercial version does not

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

VirusTotal is detecting a legitimate software I have developed, please remove the detections

VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.

We can, however, help you in combatting false positives. VirusTotal has built an early warning system regarding false positives whereby developers can upload their software to a private store, such software gets scanned on a daily basis with the latest antivirus signatures. Whenever there is a change in the detections of any of your files, you are immediately notified in order to mitigate the false positive as soon as possible.

The version information of a given antivirus is not coherent with its latest commercial product, is it out of date?

No. Normally the version displayed in VirusTotal is decided by the company providing the antivirus solution, it does not always follow the same rules as its commercial product. To check if a given antivirus is up-to-date you should have a look at its last update field, this date reveals the last time that a new set of signatures was downloaded for the product.

Some engines have relatively old last update dates, please update the antivirus signature set

Each antivirus solution present in VirusTotal makes a signature update infrastructure available to VirusTotal. VirusTotal periodically polls this infrastructure (each 15 minutes) in order to see if there is anything new to download. Therefore, if the last update date for new file scans is old it is because the given antivirus vendor has not released any new signatures for VirusTotal.

URL scans

I asked for a URL scan but the file located at the given URL was not enqueued for antivirus scanning

The URL scanner will only enqueue for antivirus file scanning those files that are not text or similar formats (HTML, CSV, XML, etc.). Executables, images, music files, etc. will be always enqueued.

Another reason could be that the URL response content could not be retrieved at the time of analysis (due to some network error, because the response content is larger than 32MB in size, etc.).

Some URL scanner detects a given URL but its corresponding antivirus solution does not detect the downloaded file, or vice-versa

Very often URL scanners and antivirus engines are independent solutions even though they may belong to the same company, hence, detecting a given URL as malicious does not necessarily mean that the file located at such URL will also be detected, and vice-versa.

Moreover, sometimes the URL might be malicious (e.g. phishing site) but the downloaded file (HTML of the phishing site) may not necessarily be a theat for your computer. Other times, the downloaded file might indeed be flagged by the antivirus signatures but the corresponding URL scanner might still have no knowledge that a given URL is distributing such file.

I am experiencing a false positive, my site should not be detected.

VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own. As such, if you are experiencing a false positive issue, you should notify the problem to the company producing the erroneous detection, they are the only ones that can fix the issue. Please note that even if we were able to remove the flag, the users of such product would still be blocked from accessing your site.

VirusTotal API

Please give me an API key

You do not need to ask for a public API key, in order to get one you just have to register in VirusTotal Community (top right hand side of VirusTotal). Once registered, sign in into your account and you will find your public API in the corresponding menu item under your user name.

The 4 requests/minute limitation of the Public API is too low for me, how can I have access to a higher quota?

Special privileges can be considered for honeypots, honeyclients and other projects providing resources (samples or URLs) to VirusTotal.

VirusTotal also offers a private mass API. This API provides a higher request rate (that can be agreed with the VirusTotal team) and offers far more information and features than the public API. Find out more about the private API.

If any of these alternatives suits your purposes do not hesitate to contact us.

What is the difference between the public API and the private API?

First of all, the private API has an unlimited request rate. The service is desgined as a volume stepped flat rate model.

Secondly, the private API gives you access to much more information than the public API, this information includes (but is not limited to):

  • All reports on a given sample or URL, not only the most recent one.
  • File and URL information provided by tools integrated in VirusTotal (PEinfo, PEiD, ExifTool, packers, sandbox links, sigcheck, etc.).
  • Behavioural execution information.
  • Metadata provided by VirusTotal: number of submissions, submissions vs. datetime, country of the sender of a given file, file names with which a sample has been submitted, first and last times a sample was seen, etc.
  • Goodware information: whether a given hash is goodware or not, products in which the file is found.
  • Property to sample queries: reverse searches such as "give me all samples that are detected with the following signature", "give me all samples that are detected by more than 10 engines", "give me all samples that contain a given PE section with the following hash", etc. these queries can be combined to build complex requests.
  • YARA notifications on the samples received at VirusTotal.

In addition to returning more information, the private mass API will allow you to download submitted samples for further research, along with the network traffic captures they generate upon execution and their detailed execution reports.

At the same time, the private mass API has a strict Service License Agreement (SLA) that guarantees availability and readiness of file and URL reports, making it suitable for integration in commercial services and products.

Other advanced queries specific to your needs can also be implemented. If you are interested in the private API do not hesitate to contact us.

I integrated the public API in free software, the default request rate is too low to attend all my users

The public API request can be fixed by the tuple (api key, IP address). Whenever this is done it is this tuple the one having the 4 requests/minute limitation and not the key on its own. This means that you can include a unique key in the software you have developed and each one of your users (provided they are not sharing their IP address) will experience a different 4 requests/minute limitation. Contact us in order to make your key a shared key, this is a free setting.

What do you consider an API request?

When considering API quotas, an API request is not equivalent to an HTTP request. This concept designates a single item lookup in the VirusTotal dataset. Therefore, if you were to make one single batch HTTP request asking for 10 hashes, that would count as 10 API requests. Analogous counting takes place for other items such as URLs, domains or IP addresses.

Including new antivirus solutions and tools in VirusTotal

I would like to include my antivirus product/URL analysis engine in VirusTotal, what should I do?

The process could not be easier, just contact us. We will tell you what we need.

In exchange for providing an antivirus solution you will receive all files submitted to VirusTotal that are not detected by your product and are detected by at least one other antivirus, along with their corresponding VirusTotal reports.

In exchange for allowing us to use a URL analysis engine you will receive the whole feed of URLs submitted to VirusTotal, along with their corresponding VirusTotal reports.

I requested the inclusion of my antivirus solution in VirusTotal some time ago and it has not been integrated yet

There is a relatively large waiting list for inclusion of antivirus solutions in VirusTotal, be patient. Integration of URL analysis engines is much quicker, so if you are still waiting do not hesitate to contact us.

VirusTotal statistics

Why do not you include statistics comparing antivirus performance?

At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:

  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our blog.

I want to suggest some other data correlation that would be very interesting to display

We want to continue improving the statistics section, so do not hesitate to send us your suggestions

VirusTotal site translations

Please translate the site to my language

Our aim is to have VirusTotal translated to as many languages as possible, however, we need some time to be able to do it, please be patient. To speed up this process you might want to consideer volunteering in order to translate VirusTotal to your language, keep reading.

I want to translate VirusTotal to my language, what should I do?

The first step is to contact us and specify the target language. Once the request has been approved we will give you access to our translation application and you will be able to start building VirusTotal in your language.

Shortcuts

How can I link to the most recent report on a given file or URL?

There is a specific HTTP GET request to do this, feel free to use this link feature in your sites. The link is as follows:

https://www.virustotal.com/latest-scan/<resource>

Where resource is one of:

  • The MD5 of a given file that was scanned by VirusTotal.
  • The SHA1 of a given file that was scanned by VirusTotal.
  • The SHA256 of a given file that was scanned by VirusTotal.
  • A URL that was scanned by VirusTotal.

Note that this feature is subjected to the same 4 requests/minute limitation as the public API and search feature.

VirusTotal Community

How can I increase my VirusTotal Community reputation?

There are two main ways of gaining reputation credits:

  • Become trusted: each time a VirusTotal Community member trusts you, you are automatically added 10% of his current reputation.
  • Produce high quality sample and URL comments: if you post interesting comments on samples and URLs other users may vote your comment as useful, whenever this happens you are added 3 reputation points. Moreover, your comments might be read by a VirusTotal team member and he might decide to boost your reputation.
Why should I vote a file or URL as harmless or malicious?

Whenever you vote a file or URL as harmless or malicious a mathematical function is applied to your reputation and the result of this function is added as reputation points to the file's maliciousness index. The overall file score may be used by other users as an additional indicator on the nature of the file in addition to the antivirus results. The number of votes in one sense or another also serve the same purpose.