Tuesday, August 27, 2019

How to and why use VirusTotal

Most people have an anti-virus program running on their PC, continually scanning for known malware. That's a good idea but what about unknown malware? Unknown malware could be malware that is known to other scanners but not the scanners you're using. Or even worse, malware could be known to your scanner but not malware definitions list on your machine? What then?

Of course you should have your malware definitions list automatically update,  but what if you could scan suspicious files with 60+ scanners, all them are up to date? That's where VirusTotal comes in. It's a free tool that scans files for bad stuff like malware. You wouldn't use VirusTotal to scan all your files, but it's perfect for one or two suspicious files, especially files you receive via e-mail or other questionable sources.

How to Use VirusTotal: Scan Types

There are two ways in which you check a file against VirusTotal. If the file is under 250MB you can upload it. The other option is you can take a hash* of the file and send that hash to VirusTotal.

To take the hash of the file you can use many tools. For example, here's a PowerShell command:

Get-FileHash C:\sol.exe -Algorithm SHA1 | Format-List

There are several tools available on the Internet to take a hash of the file, and  you should check them before you use any. I occasionally use Microsoft's FCIV. 
VirusTotal accepts hashes from the following algorithms: md5, sha1, or sha256.

Copy the hash part and paste into the VirusTotal search box

VirusTotal Search
If VirusTotal recognizes the file then, that's great news. If it doesn't, you need to assess whether the file contains any sensitive info (like your e-mail or software license assigned to you). Personal files such as documents and spreadsheets should not be uploaded to VirusTotal. Part of the deal you make with VirusTotal to use their service is that they don't keep the files you upload private, so always keep that in mind.


Most times you will get results like this, where nothing is found:

For comparison here is a bad result:

If this happens, delete the file without running it.

False Positives 

Unfortunately there is always the possibility of false positives, which is when some scanners will say the file is bad while other scanners say it's good.  My rule of thumb:  if Microsoft, Symantec and McAfee all say the file is good, it's probably be okay, but if one of them says it's bad, don't trust it.


VirusTotal also offers a REST API to check hashes or files. It most cases this would be overkill. A special script could be written to go through every file in a directory, generate its hash and send that hash off to VirusTotal. However, VirusTotal does limit how many files and how often you can send files to the API with a free account, so you can't use it to scan all the files on your hard drive. In some instances you should be using a local scanner for instead, and VirusTotal isn't a replacement for those times.  

The following blog post by JC_SoCal offers a reason why you may not want to upload a file or hash to VirusTotal for you to consider.

Malware Analysis #1 Protip

Unless you are a malware analyzer or think you are being directly targeted you'll be okay. 


Using this post you should know everything you need to know to be a basic VirusTotal user. VirusTotal is a great tool to have in your cyber protection toolbox. 

*hash - a hash is the output of a special mathematical function used to assign an id to a file or a message.  ( Wikipedia - Hash Function )

Thrift Shop Find

The other day while browsing the electronics at Goodwill I found an old calculator for $1. The screen wasn't working correctly but I tho...