I often come across suspicious files that I don’t entirely trust are free of malware or viruses. People often forward me emails with attachments asking me to let them know if they are safe to open. I also downlaod quite a bit of software from various sources on the internet. While I could just rely on my antivirus software to tell me if the files are safe I know that it’s impossible for one program to be able to identify every bit of malware that exists. The best way to deal with this type of file is to upload it to VirusTotal for analysis. VirusTotal is a free service that will quickly analyze a file with over 40 different antivirus engines using the latest definitions.
VirusTotal allows you to upload any type of file up to 20MB in size. If you upload an archive like a rar or zip file it will scan within the archive for threats. Once you upload the file it is hashed (MD5) and placed into a queue for analysis. Analysis usually happens within 30 seconds, the wait time depends on the current load the service is under.
If the hash is found in the database then someone has already uploaded this file to VirusTotal’s database. When this happens you have an option to view the results of the previous analysis or reanalyze the file. If the last analysis of the file was a long time ago you should reanalyze the file. New definitions are released every day and this could affect the results.
There are several ways you can upload files to VirusTotal.
Using the web based uploader
On the VirusTotal homepage you can browse to the location of the file you want to upload and submit it directly. Files can also be submitted using SSL encryption in case you are behind a proxy with virus filtering capabilities.
Submit files via email
You can send in files for analysis be emailing them to firstname.lastname@example.org with the subject of ‘SCAN’. You will receive an email back with the results in a text format.
After downloading and installing the uploader application you can easily send in files for submission without having to use the web uploader. The application will also allow you to directly upload the executable for a running process. So if you have a suspicious process running on your system this is an easy way to get it checked out. The only thing I don’t like about the app is that you can’t upload multiple files at the same time, you have to send them individually.
The Public API
To take things a step further VirusTotal provides a public API that allows users to interact directly with their service. Using this API you could create a script to automatically upload files from a honeypot or other source. It also provides a mechanism to retreive the analysis reports for the files you submit via the API. They have some sample scripts written in Ruby, Perl, Python, Java, and PHP that you can use as examples. In order to obtain an API key you must create an account on their site.
Community features of VT
VirusTotal has a community built around its service called VT Community. Once you register and create a free account you can create a public profile and interact with other users. You can also create a network of trust with other users which will increase your reputation credits. This is what I would consider the Facebook of the virus hunting community. Joining the community allows you to leave comments on the analysis page of samples and vote on the comments left by other users.
By using VirusTotal you are directly helping the AV companies improve their products. If an AV engine fails to identify a virus sample that other engines caught they are notified of this and can use this information to improve their products. Since its a public site anyone with an antivirus product can have their engine listed on the site if they want.
VT is one of the best methods to quickly determine the security status of a file. False positives are becoming the newest problem within the virus community and using this service you can identify files that are falsely being flagged as malware by a particular engine. Next time you encounter a file that your not sure if you should trust upload it to VirusTotal and find out what you have.