virus-total-feature-image

Be Careful With VirusTotal

Overview

VirusTotal is an online scanning tool many Daves Computer Tips readers use to scan for malicious content. However, DCT readers need to be careful when using VirusTotal.

VirusTotal

The Spanish security company Hispasec Sistemas created and launched the VirusTotal website in 2004. In September 2012, Google acquired the company. In January 2018, the ownership of the company changed to Chronicle, a subsidiary of Google.

The online VirusTotal website aggregates over 70 antivirus engines as well as URL/domain blocklisting services to scan uploaded items for malicious content. Users can upload files up to 650 MB to the website or send files up to 32 MB via email. These files are checked against aggregated data or scanned by the engines. This allows users to test for malicious content that their own antivirus software may have missed. In addition, users can see if a positive flag from their personal security software might be a false positive.

VirusTotal is an excellent resource for getting a clear indication of whether an executable is malicious. If you are installing a program for the first time, if you are unsure of the source of the software, or if you simply do not know much about the software, it is a good idea to scan the file with VirusTotal before installing it.

Many readers of Daves Computer Tips use VirusTotal. Whenever I am unsure about the source of some software, I scan the executable with VirusTotal to ensure it is safe. Other DCT writers do this as well (see Jim Hillier’s What Are False Positives & Why Do They Occur and Terry Hollet’s How To Cut/Split Movies With MP4 Splitter). As Jason Shuffield wrote, VirusTotal can also be used to check websites for malicious content.

Why Users Need To Be Careful Using VirusTotal

Because VirusTotal acts like a scanner, most users think it acts like the antivirus scanner on their PC. They ask the scanner to scan a file for malicious content, and the scanner returns a clean or flagged response, and that is it. However, this is not how VirusTotal works. VirusTotal is a tool used by the security community to raise the global security level. When you upload a file to VirusTotal, you are submitting it to the VirusTotal community. These malware samples are valuable to security researchers.

However, Google does not clearly disclose that anyone who is a paid user of VirusTotal can see everything that is submitted to the community.

When uploading a file to VirusTotal, a person or company may inadvertently include sensitive information. For an individual, this may include data such as banking information, credit card information, passwords, etc. For a business, this may include data such as intellectual property, payroll data, customer data, etc. Many organizations have compliance regulations or security protocols that prohibit the use of VirusTotal.

In short, never submit anything that may contain personal or corporate information. Google hints about this on the entry page!

I wrote this article after seeing an add-on for Thunderbird that automates the uploading of email attachments to VirusTotal. I thought, “This is such a bad idea!” (Obviously, I will not link to this add-on.)

Bottom Line

VirusTotal is an excellent tool for checking files you suspect may contain malicious content. However, since all submissions are shared with the VirusTotal community, users must be careful about what they submit for analysis. In addition, automating the upload of email attachments for scanning is not wise and, in a business environment, may even be against your employer’s policies.

9 thoughts on “Be Careful With VirusTotal”

  1. Thanks John
    The amount of data these behemoth corporations have on us is staggering already. They truly are the “evil empire”. Everything seems free until a tyrannical government working in partnership with these corporates decide to utilise the data they have on you. People may laugh but the more I learn the more I’m keeping my tinfoil hat firmly on !
    Cheers
    Reg

    1. Thanks for the comment Reg. Actually, in this case, it is not the corporates or governments that have data on you. If you load a file with sensitive data, it is the VT community. This could consist of a individual in his basement up to security experts in those corporations or governments. If you load a file with sensitive data in it, they can see it (and possible use it in negative ways).

  2. The portable app PeStudio is a convenient front-end to VirusTotal that allows one to simply drag and drop a file into it for analysis; it also provides additional useful information (free version available):
    https://www.winitor.com/.

    1. Thanks AJ, PeStudio just submits hashes of executable files to VT. Checking EXE’s, even the full file, in VT is probably safe since in most likely does not contain sensitive data. However, using something like PeStudio which just sends a hash will be faster then sending a file (assuming the executable is already in VT’s database) since you will not need to upload a whole file.

  3. Peter Thompson

    Interesting. Didn’t realise it was owned by Google so good to know.

    I will add VirusTotal also doesn’t always show all results from AVs. AVs often use multiple layers of security and not all included in VirusTotal results.

    I’ve also heard of cyber criminals trying to use it to determine if their malware is going to be flagged

    1. Hi Eliott,
      Everything I wrote in the article applies to that program which is just submitting your file to VirusTotal for you.

  4. Hello John. I am a bit confused. I used to have Virus Total as an addon, which would scan all exe files prior to downloading. Forget why I uninstalled it, other than finding it more of a time constraint when getting files in exe format from well known sites. Thought my software would warm me and block corrupted files.
    So, is this process you are mentioning something new? This is where I get lost, Mindblower!
    Merry Christmas and Happy New Year.

    1. Hi Mindblower, thanks for the holiday greetings and wishing the same back.

      I’m not mentioning a process. I’d say to reread the post. But, quickly, VT stores a copy of everything submitted and any paid VT user can view these.

      So, say you get a email from your brother with 2 attachments. The first he tells you is a file he torrented from some site which promises to unlock that expensive piece of software you can not afford. The second is a self extracting archive file with the bitcoin keys repaying that $100,000 loan you gave him.

      The first file you may have wanted to scan with VT. If you scan the second file with VT, thousands of extremely computer literate people in the VT community will have access to that file from the VT database and you may find that one of them transferred the bitcoin funds before you could.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

WHY NOT SUBSCRIBE TO OUR NEWSLETTER?

Get great content like this delivered to your inbox!

It's free, convenient, and delivered right to your inbox! We do not spam and we will not share your address. Period!