Back to the main page

The VirusTotal Scan Guide

This guide is here to help you make informed decisions, but the final call on file safety is yours. Use your best judgment and be cautious. If you're unsure, consider seeking professional help from a security expert.

Table of Contents

Check the Scan Date Check the Details Tab Check the Submitted Names If It's a Pirated Software Check the Relations Tab Check Contacted IPs/URLs Check the Behavior Tab Check the Detections Tab Check Highlighted Actions Check the File Age Check Multiple Similar Detections Consider the Community Tab Conclusion

Check the Scan Date

Ensure that the scan date is recent. If not, click on the 'Reanalyze' button and scan to detect new threats or remove old false positives.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Look at the top-right side of the screen.

Check the Details Tab

Creation Time, First Seen In The Wild, and First Submission:

  • Creation Time may be unreliable if obviously fake (e.g., set in the future).
  • Compare First Seen In The Wild and First Submission dates with the product release date to identify recycled malware.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Details' tab.

Check the Submitted Names

  • Ignore names resembling hashes or generic terms like 'sample1.exe'.
  • Multiple names for unrelated products suggest potential malware.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Details' tab → Scroll down until you see the 'Names' section.

If It's a Pirated Software

For pirated software, signatures won't be helpful as cracks or patched files won't be valid, but typically if there was an invalid signature it would be suspicious.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Details' tab → Scroll down until you see the 'Signature info' section.

Check the Relations Tab

Execution Parents / Resource Parents

Focus on installers or archives that contained, dropped, or downloaded the file. Ignore if scanning an installer that wasn't extracted from another file.

Dropped Files / Bundled Files

Examine files extracted from the scanned file, particularly useful when scanning archive files.

Graph Summary

Take a quick glance at everything once more.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Relations' tab → Explore the various sections.

Check the Contacted IP Addresses/URLs

  • Beware of overwhelming malicious results, but also consider false positives (e.g., drive.google.com is currently flagged as a phishing site by one of the AVs).
  • Suspicion arises if a file meant to be benign (e.g., a keygen or patcher) makes unexpected requests.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Relations' tab → Scroll down until you see the 'Contacted IP addresses' section.

Check the Behavior Tab

  • Opening and reading files, writing/deleting temp files, and expected installer activities are generally benign.
  • Suspicion arises if the file exhibits unusual behavior or accesses unnecessary areas.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Behavior' tab → Scroll down and notice the info presented to you.

Check the Detections Tab

  • Generic/gen/susgen detections (like W32.Trojan.Gen) or AI/ML labels may indicate potential malware that doesn't match known signatures.
  • Common detections for cracks, patches, etc., include riskware, hacktool, and not-a-virus (last one is specific to Kaspersky).

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Detection' tab → Scroll down and notice the info presented to you.

Check the Highlighted Actions

Although rare, alarming statements like 'all your files are belong to us' require immediate action.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Behavior' tab → Scroll down until you see the 'Highlighted actions' section.

Check the File Age

  • New files may lack accurate detections, while older files should have more reliable results.
  • A file's age can provide context; newer files warrant closer scrutiny.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Details' tab → Scroll down until you see the 'History' section.

Check If It Has Multiple Similar Detections

If numerous specific detections align, it indicates higher risk.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Look at the 'Popular threat label', 'Threat categories', and 'Family labels' sections.

Consider the Community Tab

While often cluttered, occasionally valuable insights or warnings are found in community comments and voting.

How to find: Go to VirusTotal → Upload your file or search the file hash/url → Click on the 'Community' tab.

Conclusion

Even with thorough analysis, some uncertainty may remain. Exercise caution with suspicious files and generic detections.

If unsure, refrain from using the file.

The guide is adapted from the original VirusTotal scan guide by Clara which can be found here.