VirusTotal: a valuable and free tool at your service
/What if I told you there is a way to run a file or URL (website address) through numerous different security (or antivirus) vendors for free. I know you’re probably quoting the old adage right now of, “If it’s too good to be true it usually is”, but in this case such a tool does exist and it is known as VirusTotal.
There are actually a lot of free tools available in the security industry, but today we are going to discuss one in particular. If you have a file you aren’t sure of or see a URL (website link) you haven’t seen before, I would recommend visiting virustotal.com. You can use virustotal to have the file or URL analyzed by 50-60+ security vendors to see if the file or URL is considered malicious. When you visit virustotal, you will see a “File” tab and “URL” tab. If it is a file, click the “File” tab and locate the file in question on your computer. If it is a URL, click the “URL” tab and cut-and-paste or type the URL into the field. Click “Scan it!” to see what the results are.
Please read the important NOTE at the bottom of this post before uploading anything to VirusTotal.
It is important to remember though; VirusTotal works on the same signature based technology as antivirus. This means the security vendors scanning the file or URL must have seen them before, know they are malicious and have created a signature to detect it. So just like antivirus, VirusTotal isn’t 100% effective either. You shouldn't assume a file is clean or safe, just because security vendors haven't rated a file or URL as malicious.
You are probably asking yourself, then why would I use VirusTotal in the first place? That is a fair question and here is an example of how it should be used. Before we discuss how VirusTotal can be used, let me point out one important thing to keep in mind. If you have a feeling the file in question may contain sensitive information about you, your family or your clients, I would suggest not uploading it to VirusTotal. Uploading files to VirusTotal could mean they will be viewable by others on the internet. For more information, refer to the NOTE at the bottom of this article.
Now that you know files containing personal, private information shouldn't be uploaded to VirusTotal, let's dig into an example of how you should use the service. Let's say you need to download a piece of software or a pdf file containing instructions. You navigate to a well-known website to download the file you need. After you download the file, you use your antivirus to scan it. Let’s say your antivirus says the file is safe/clean, but you would like additional confirmation. This is where you can visit VirusTotal to have 60+ different security companies scan the file. If 60+ different security companies have said the file is clean/safe and you downloaded it from a well-known source, I would argue it is safe to open. The key reason I would say it is probably safe to open, is because it was downloaded from a well-known, reputable source. Plus, if the file has been scanned in the past (say several weeks or months prior), that's another good indication it is probably safe.
However, if you are downloading a piece of software from an unknown or obscure website, I personally wouldn’t trust the results of VirusTotal . This comes back to VirusTotal being signature based technology. There is a possibility the file was recently added to the unknown website and hasn’t been seen by antivirus companies yet.
If you would like to know my normal M.O. (modus operandi), I always, always try to find software I need from a well-known website. I then run it through VirusTotal to see what I can learn. I first look at the "History" section on the "Details" tab. I look to see when the file was first submitted and last analyzed. I'm hoping to see that the file was analyzed many weeks, months, or years prior to me analyzing. That would indicate the file has been going around the internet for a while, giving anti-virus companies more of an opportunity to create a signature for the file if it was malicious in nature. I also look further down the "Details" tab to see if the description for the file is what I'm expecting and that the signature is from the company I'm expecting it to be from (see the video example below for more information). If everything looks good on the "Details" tab, no security vendor rates the file as malicious and I personally downloaded the file from a reputable website, then I cross my fingers and install the software. This is assuming of course, I really need the software. I hardly ever just install random software anymore. I know the risk is just too great, so unless I really need it, I avoid it all together. One thing for sure though, I very, VERY rarely, if ever, download and install software from an unknown/obscure website. That risk is one I definitely don’t want to take unless it is absolutely necessary. I follow the same process when visiting websites. I use VirusTotal to check to see if any of the major security vendors have rated the URL/website as malicious, I check the "Details" tab to see if a security company has categorized the website in a category I'm expecting to see (such as ESPN categorized as Sports). If everything looks good and no vendor rates the site as malicious, I perform one last step by searching for the website or company in a trusted search engine to see what results are returned. I'm hoping to see evidence that the website is well-known. I do not want to see references to malware, scams, or strange search results (see the 2nd video example below for more information). If I do not see any suspicious indicators and I need to visit the website, then I continue on.
NOTE: Please be cautious about what files you submit to VirusTotal. If you believe there may be sensitive information in the document, such as a social security numbers, birth dates, company proprietary information, etc., I would urge you not to upload it to VirusTotal as it could compromise your personal information. There are some people with the ability to view documents that are uploaded to the system, which means they would see what is on the document. If you have doubts about the document and believe it may contain sensitive or private information, I would reach out to the sender by phone and confirm what they sent you or have them resend it just to be sure. Use a phone number you have somewhere else, don’t use a phone number that came in an email if you are suspicious. If you are good with computers, the best thing to do would be get the hash value of the file and only submit the hash value to VirusTotal and not the file itself. Uploading an executable file you downloaded from a website is safe to submit to VirusTotal as it shouldn’t contain your personal information.
Video below demonstrates how to analyze files within VirusTotal to determine if they are malicious.
Video below demonstrates how to analyze a URLs or website addresses with VirusTotal to determine if they may be malicious. The video demonstrates the recommended procedure of using a trusted search engine to navigate to a website/URL as well as 3 examples with 2 of the examples demonstrating legitimate sites that happen to be compromised resulting in them being malicious.