VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.
VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services. VirusTotal's main characteristics are highlighted below.
Free unbiased service ::
VirusTotal, is offered freely to end users as long as its use has no commercial purpose and does not become part of any business activity. Even though the service works with engines belonging to different enterprises and organizations, VirusTotal does not distribute or advertise any products belonging to third parties, but simply acts as an aggregator of information. This prevents us from being subjected to any kind of bias and allows us to offer an objective service to our users.
Runs multiple antivirus engines and website scanners ::
VirusTotal simply acts as an information aggregator. The aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions. The full list of antivirus solutions and website scanners used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Runs multiple file and URL characterization tools ::
As previously stated, VirusTotal also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software. The full list of file and URL characterization tools used in VirusTotal can be found in the credits and collaboration acknowledgements section.
Real time updates of virus signatures and blacklists ::
The malware signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by the antivirus companies. The update polling frequency is 15 minutes—this makes sure that the products are using the latest signature sets.
Website scanning is done via API queries to the different companies providing the particular solution, hence, the most updated version of their dataset is always used.
Detailed results from each scanner ::
VirusTotal not only tells you whether a given antivirus solution detected a submitted file, but also displays the exact detection label returned by each engine (e.g. I-Worm.Allaple.gen).
This feature is also present in URL scanners. Most of them will discriminate malware sites, phishing sites, suspicious sites, etc. Moreover, some of the engines will provide additional information explicitly stating whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, etc.
Real time global service operation statistics ::
Information about the number of resources (files and URLs) processed by VirusTotal can be found in the statistics section. These statistics provide a number of notions and groupings, such as global detection ratios for the received files, submissions per country, most popular detection labels, etc. No statistics comparing the different antivirus products and website detection engines are generated—neither will they ever be generated (on a public or private basis), even though their calculation is trivial. The reason is that using VirusTotal for antivirus testing is a bad idea.
Automation API ::
File and URL scanning can be automated with a free public API. For obvious reasons (including prevention of competition with the antivirus products present in VirusTotal), the public API is subjected to a strong request rate limitation. Should a user require a higher request rate, a honeypot API is available for researchers and a private mass API is offered to individuals with commercial and product enhancement intentions. A detailed specification of the different APIs can be found in the advanced features section.
Online malware research community ::
In August 2010 VirusTotal integrated a pseudo-social network that allows its users to interact with other users and comment on files and URLs. These comments may range from deep malware analyses to information on the distribution vector and in-the-wild locations of the submitted files, hence, the community acts as the collective intelligence component of VirusTotal. Files and URLs can be voted as malicious or innocuous, building a community maliciousness score for the resource.
In other words, when security products fail (false positives/false negatives), there is still a chance that some VirusTotal Community user will have produced a useful review of the resource for its community peers.
Desktop applications for interacting with the service ::
With the aim of making the Internet a safer place VirusTotal's team has released a number of desktop applications and tools for interacting with the service (one-click file uploader, browser extensions, etc.). Many of VirusTotal's users have also developed their own applications and have made them publicly available on the Internet. More information about these resources can be found in the advanced features section.
Online :: https://www.virustotal.com/