Last Updated on February 4, 2024 by Mathew Diekhake
VirusTotal is a free online virus and malware scanner owned by Google. Using VirusTotal is the equivalent of 80+ different antivirus and antimalware tools bundled together. Unlike antivirus programs running on your computers and taking away viruses and malware after they have been installed, VirusTotal allows you to scan the URL of a file directly before opening it. Or, if you wanted, you could download the files first and then find out straight away how clean the file is that way.
The reasons for wanting to use VirusTotal are the same as why you want to run antivirus protection in general: the web is a great place, but there are also people out there doing things, usually, because it leads to them being able to make money one way or another, that can cause you harm. Most often this is done by hiding malware in bundles and other free files that you then unknowingly download—a big issue in recent times has been malware (adware in particular) hiding inside files that people think are torrents that they’re downloading, and often these torrent sites can even host sponsored links that are files with nothing but a healthy dose of adware.
VirusTotal isn’t a substitute for antivirus protection. VirusTotal is just another layer of protection that you can apply over the top of your existing protection because programs like Windows Defender aren’t stopping harmful files from being downloaded; they are hopefully detecting them when they scan the system periodically, so those files can be on your system between the period of you downloading them and when that period scan eventually begins.
Sometimes malware comes from domains that are spelled similarly to the websites you want to visit. For instance, mistype facebook.com by one letter, and all of a sudden you are on a webpage that is deceiving you into thinking that you are on the real Facebook website and you then begin to click away. I consider myself a web guru, given that I visit websites nearly all day long, and I cannot say I find these types of tricks very often. Part of the reason might be because the web browser does a good job of keeping it in its memory and automatically spelling the rest of the works for me after I’ve done it a few times. Sometimes you’ll get a bunch of links that are advertising on these landing pages because they are owned by people and available to be purchased. These are called “parked” domains, and the ads give them a means of continuing to make money while it is being parked, which is important for sellers because you have to pay a yearly fee to hold onto a name. That’s not to say that what this man is suggesting is not the case for many websites out there. I just do not think it is a huge problem at the moment. Nonetheless, VirusTotal has a handy feature available that will help you land on the correct webpages and domains when you misspell them. It does this by having an algorithm that can detect websites with similar names and direct you to those instead of the webpages and domains that do not have anything there. What’s more, it is particularly handy because it has people looking out for those domains that exist that do have malware and trying to catch you out, making sure those are ones you will not land on.
VirusTotal uses the following security vendors:
- Abusix
- Acronis
- ADMINUSLabs
- AICC (MONITORAPP)
- AlienVault
- alphaMountain.ai
- Antiy-AVL
- Artists Against 419
- Avira
- benkow.cc
- Bfore.Ai PreCrime
- BitDefender
- BlockList
- Blueliv
- Certego
- Chong Lua Dao
- CINS Army
- CMC Threat Intelligence
- CRDF
- CyberCrime
- Cyble
- CyRadar
- desenmascara.me
- DNS8
- Dr.Web
- EmergingThreats
- Emsisoft
- ESET
- ESTsecurity
- Feodo Tracker
- Forcepoint ThreatSeeker
- Fortinet
- G-Data
- Google Safebrowsing
- GreenSnow
- Heimdal Security
- Hoplite Industries
- IPsum
- Juniper Networks
- K7AntiVirus
- Kaspersky
- Lionic
- MalSilo
- Malwared
- MalwarePatrol
- malwares.com URL checker
- Nucleon
- OpenPhish
- Phishing Database
- Phishtank
- PREBYTES
- Quick Heal
- Quttera
- Rising
- Sangfor
- Scantitan
- SCUMWARE.org
- Seclookup
- SecureBrain
- securolytics
- Snort IP sample list
- Sophos
- Spam404
- StopForumSpam
- Sucuri SiteCheck
- ThreatHive
- Threatsourcing
- Trustwave
- URLhaus
- Viettel Threat Intelligence
- ViriBack
- Virusdie External Site Scan
- VX Vault
- Web Security Guard
- Webroot
- Yandex Safebrowsing
- ZeroCERT
What Is VirusTotal Used For?
When you open the front page of the VirusTotal website, you’ll see three tabs available. The first is “File.” It gives you a button beneath it for uploading and scanning files. This isn’t a great starting point and would confuse people: the main point of using VirusTotal over something like Windows Defender is scanning before the files are on your hard drive. Otherwise, people would wait for Windows Defender to scan it if it were already downloaded. The second tab on the page—and a much wiser tab to show first—is the “URL” tab, and when you click on it, it gives a field where you can paste a URL of a file. The third tab is the “Search” tab, and you can enter a website domain or IP address here. There is little difference between the Search and URL tabs, and it is possible to enter domain names in both. The difference is the IP address and file hash.
Scanning URLs
In this example, we will use files from the Major Geeks forum. This is a popular forum for geeks and where many useful tools we’ve used over the years have become available to download. Using the Major Geeks site navigation down the left side of the homepage, I’ve clicked on the “System Tools” link to find some tools to download. When I click through to the page that the link is on, I’m going to right-click the mouse over the link and then choose to copy it. That way it isn’t downloading to my computer, and I’ve copied the link’s URL because each link needs to have a URL where it is shown on a webpage. You’ll be able to right-click any link from any webpage like this online. So you find the file you want to download from the webpages you visit and do the same thing.
Now you need to open the VirusTotal website, found at https://virustotal.com, click on the “URL” tab from its homepage and then paste the URL that you copied from your download source webpage. When you do, it’ll look like this in the picture below.
Click on the magnifying glass on the right side of the URL field, and it starts to analyze your file’s URL. When it’s complete, you’ll get a score at the top of the page just like in the picture below. You can also scroll down the page and check out all the different antimalware and antivirus results after it was scan by each of them.
Many IT administrators use VirusTotal for scanning files, and you can immediately start to think of ways you can use it yourself. So many people out there are downloading torrent files, whether legally or not, and just hoping that the file they are downloading is not a virus. There’s no need to be taking that risk. All you need to do is remember this website, copy and paste the link, and check the results. The scan will be completed relatively quickly for most files.
Uploading Files from Your Computer
Any file that is already on your computer could be harmful if it is malware or a virus. The chances of it being harmful dramatically increase if the file is sitting inside an account that has administrative permissions. The antivirus that you have installed on the computer will periodically scan and then get rid of any known threats for you, so hopefully, that results in your mistakes not causing too much damage. Nevertheless, VirusTotal also offers the option to upload files that are on your computer so you can scan them as well. That way you get to find out instantly if it’s something that is a threat so you don’t have to wait until whenever that next virus scan your antivirus does might be. If you’re anything like me, you probably won’t go to the effort of using this part of the tool all that often because you’ll just lazily let your antivirus software pick it up then instead, but the option for uploading files is still very useful nonetheless.
In this example, I’m going to head back to the Major Geeks forum and download a file this time so that it ends up on my hard drive and then I’ll upload it to the VirusTotal tool. The tool I’ve downloaded this time is the ClearIP tool for monitoring my IP address and detecting changes, so that’s the files details you’ll see when I upload it from my hard drive. You just visit whatever webpage you want to download your tools from so they end up on your hard drive instead.
After downloading the file, open the VirusTotal website again and this time leave it on the File tab from the homepage and click on the Upload and scan file button.
Now you just upload the file from your Downloads folder in File Explorer and then it starts the scan right away without having to click anything from the VirusTotal website. The next thing you’ll see is your results showing up. This time one engine has been found. You can look further down the same page to find out what antivirus or antimalware software picked it up as harmful and the others that didn’t. The more software that suggests your file is harmful, the more likely that it is harmful.
Now because I’ve been given one potential red flag, it has me feeling a little nervous about this file, so it’s time to do some further investigating. On the same results page, you’ll see three tabs: the Detection tab, the Details tab, and the Community tab. Each of the additional tabs is useful for trying to figure out what to do next. The value of the community tab is pretty straightforward: you get to read comments left by others, and they help you judge the file’s safety based on other people’s experience. Just getting one reg flag is quite common so you shouldn’t assume this is going to be a virus, but you’ll want to make sure as best you can before deciding to keep it on my computer. So what you need to do next is click on the Details tab and then feast your eyes on the History section.
Under the History heading, you’ll see a date of creation, date of the files first submission, date of its last submission and last analysis. What you want to do is make sure that there is a reasonably large gap between the dates from this section. The fact that this file was created way back on 2005, was then submitted in 2007 and was then submitted to VirusTotal in 2013 tells me that the likelihood of this file being a virus is very low. A red flag would be if the date of creation and submission were the same day or a time that were only a few days apart. That’s far more what you can expect to find from a malicious file because they generally won’t go to anywhere near as much effort as creating something and then letting it sit there for a long tie just to try to make it look real. Nobody has time for that, so it just isn’t likely to happen.
The reason this History heading is so important is that it is possible for someone to change the file name and then repost a file on a website. If that happens then, the hash code will be different on the VirusTotal results page, and it will mean a new creation date. Anything that’s only been around the internet for a short amount of time is going to be a risky keep and anything that’s been around for a long time is likely safe.
Web Tip: One thing I noticed while researching VirusTotal was that it’s best to head to a search engine like Google and type the name of the website that you want to visit rather than typing the name into the address bar. All websites with high-quality content will be indexed in Google. The search engine, so long as it is one of the more reliable ones, will be able to tell what site you are looking for if you slightly misspell it. Things can be trickier for blogs and news sites that aren’t some of the largest in the world, but generally speaking, if it’s something that you know is a well-known site, use Google instead of the address bar so you avoid landing on a domain that is trying to trick you into thinking it’s the real domain. It’s very difficult to get a website ranking well on Google, even if you’re someone writing high-quality content every day. Google is smart enough to not rank the junk and always rank the real site. There are also things you can look for to know that the domain you are searching for is the legitimate one, such as social media pages beneath it, a logo and Wikipedia links available to the right of it, and so on. And if it’s a really big company like Facebook you might even get the stock prices etc. appearing to the right of the link. The important thing to note is that those extra details Google is giving you are associated with the link on the left which is the link you visit to go through to the website itself. Again, I should reiterate that it isn’t like that for all sites—you know we are a legitimate and trustworthy source of information, and yet we don’t have any flashy information in Google, partly because we don’t try to do things like create Wikipedia pages and partly because we just aren’t big enough. But if what you are looking for is a big site such as Facebook then these details will always be there. They get so much traffic that it becomes a priority for search engines to let you know what the official site is in its results, and they must do so because where there’s a lot of traffic, there are opportunities for viruses to try to take advantage of the misguided traffic.
Related Tutorials