Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about new malware to show how widely a sample is detected by the AV community. We receive links to VirusTotal results via our support system and on the Webroot Community. Computer support forums will also suggest a user submit a file to VirusTotal in order to determine whether or not a file is malicious. VirusTotal can be a very useful service – if you know how the service works and how to interpret the results. A good place to start is the About page, paying special attention to the Important notes and remarks section of the page.
I’ve written before about how inconsistent the results for a file can be, and this makes a bit more sense when you understand more about how VirusTotal works. To put it simply, because of the way that VirusTotal works, files that show no detections in VirusTotal may actually be detected by the scanners used in real-world situations, and the opposite is also true. (Knowing how it works can also help understand why a next-generation cloud-based solution like Webroot SecureAnywhere is not one of the scanners used in VirusTotal.) I’ve seen many instances where a write-up on new malware shows few detections in VirusTotal, but a quick check of our database shows that we had seen and were detecting the sample prior to the date it was submitted. There have also been countless times where our own Webroot SecureAnywhere process showed as being detected by multiple scanners in VirusTotal.
As VirusTotal clearly states, “the service was not designed as a tool to perform antivirus comparative analyses” yet we see it used to gauge how widely detected a new malware sample is all the time. When looking at VirusTotal results, I tend to make two assumptions. The first is that I always assume that all of the scanners are set to their highest heuristic settings – what I like to refer to as “tin-foil hat heuristics” – which will cause a much higher number of False Positives.
The second assumption is that the scanners will be using their full Enterprise signature set which will detect various legitimate programs that administrators might not want on their networks such as administrative tools or remote access tools. Over time, you can become familiar with some of the more common detections and naming conventions used by the various scanners that can help make a more informed interpretation of the results.
As with any tool, knowing the intended use and limitations helps use it more effectively.