docs.virustotal.com Open in urlscan Pro
34.117.229.111  Public Scan

URL: https://docs.virustotal.com/docs/how-it-works
Submission Tags: falconsandbox
Submission: On April 05 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Jump to Content

HomeGuidesAPI Referencev2.0v3.0

--------------------------------------------------------------------------------

Guides

v3.0
HomeGuidesAPI Reference
Search
CTRL-K
How it works
All
Guides
Reference

START TYPING TO SEARCH…


ABOUT US

 * How it works
 * Join Community
 * Contributors
 * Comments
 * Terms of Service and Privacy Policy
   * Terms of Service
   * Historic Terms of Service
   * Privacy Policy
   * Historic Privacy Policy


ACCOUNT MANAGEMENT

 * Group Management
   * Configure SAML with Okta
   * Configure SAML with Ping
   * Single Sign On Authentication
   * Searching for users
   * Walkthrough guide for VirusTotal group administrators
 * Service Accounts Management
   * Service Accounts
 * Quota Management
   * Understanding Consumption


API

 * API Overview


VT INTELLIGENCE

 * VirusTotal Intelligence Introduction
 * Searching
 * Search Modifiers
   * File search modifiers
   * IP address search modifiers
   * Domain search modifiers
   * URL search modifiers
   * File - List of Engines
   * Netloc - List of engines
   * Full list of VirusTotal Intelligence search modifiers
   * Full list of VirusTotal Intelligence tag modifier
   * Full list of VirusTotal Intelligence behaviour_tags modifier
 * Search Tools
   * File similarity search
 * Content search (VTGrep)
 * How VT Clue works
 * Searching using entities
 * VT Alerts
 * VirusTotal Collections Introduction


IOC REPUTATION & ENRICHMENT

 * File Behaviours
   * In-house Sandboxes - behavioural analysis products
   * External behavioural engines sandboxes
 * Reports


VT HUNTING

 * What's VT Hunting?
 * IOC Stream
   * Sources Subscriptions
   * Threat Feeds
 * Livehunt
   * File hunting: Writing YARA rules for Livehunt
   * Network hunting: Writing YARA rules for Livehunt
   * Examples of network hunting using Livehunt
 * Retrohunt
 * Crowdsourced Rules
   * Crowdsourced IDS Rules
   * Crowdsourced YARA Rules
   * Crowdsourced YARA rules dashboard
   * Sigma rules
   * Sigma Rule List
 * VTDIFF - Automatic YARA rules


VT GRAPH

 * Introduction
 * Overview
 * Search and start new investigation
 * Management
 * Nodes
 * Commonalities and Hunting


PRIVATE SCANNING

 * Private Scanning


TECHNOLOGY INTEGRATIONS

 * Integrations
   * VT4Splunk, official VirusTotal app for Splunk
 * Connectors
   * Splunk
   * Mandiant Advantage - Threat Intelligence
   * MISP
 * List of VT Integrations


TOOLS

 * Tools overview
 * Desktop Apps
 * Mobile Apps
 * Browser Extensions
   * VT4Browsers 4.0
 * API Scripts and client libraries
   * Batch file downloads
 * VT Bot


FAQ

 * Frequently Asked Questions
 * Usage and Quotas
   * Please give me an API key
   * How consumption quotas are handled
   * How can I have access to a higher quota?
   * What is the difference between the public API and the private API?
 * File/URL Submissions
   * What kind of files will VirusTotal scan?
   * AV product on VirusTotal detects a file and its equivalent commercial
     version does not
   * I accidentally uploaded a file with confidential or sensitive information
     to VirusTotal, can you please delete it?
   * Should I upload files larger than 650MBs ?
   * Empty file and VirusTotal uploads
   * How can I link to the most recent report on a given file or URL?
   * How can I automate scans?
   * File from a URL scan was not enqueued for antivirus scanning
 * Antivirus Products
   * AV product on VirusTotal detects a file and its equivalent commercial
     version does not
   * URL scanner verdict differ from its corresponding antivirus solution
   * I am experiencing a false positive, my file or site should not be detected.
   * What does the green circle with a white tick mark icon mean?
   * Why don't you have statistics comparing antivirus performance?
   * False Positive Contacts
 * Searching and Hunting
   * Intelligence - How do I search for malware detected as X
   * What is YARA?
 * VTDiff
   * How does VTDiff work?
   * Error - "Need to give exclusion list for filetype"


HOW IT WORKS

VirusTotal inspects items with over 70 antivirus scanners and URL/domain
blocklisting services, in addition to a myriad of tools to extract signals from
the studied content. Any user can select a file from their computer using their
browser and send it to VirusTotal. VirusTotal offers a number of file submission
methods, including the primary public web interface, desktop uploaders, browser
extensions and a programmatic API. The web interface has the highest scanning
priority among the publicly available submission methods. Submissions may be
scripted in any programming language using the HTTP-based public API.

As with files, URLs can be submitted via several different means including the
VirusTotal webpage, browser extensions and the API.

Upon submitting a file or URL basic results are shared with the submitter, and
also between the examining partners, who use results to improve their own
systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you
are contributing to raise the global IT security level.

This core analysis is also the basis for several other features, including the
VirusTotal Community: a network that allows users to comment on files and URLs
and share notes with each other. VirusTotal can be useful in detecting malicious
content and also in identifying false positives -- normal and harmless items
detected as malicious by one or more scanners.


FREE AND UNBIASED

VirusTotal is free to end users for non-commercial use in accordance with our
Terms of Service. Though we work with engines belonging to many different
organizations, VirusTotal does not distribute or promote any of those
third-party engines. We simply act as an aggregator of information. This allows
us to offer an objective and unbiased service to our users.


MANY CONTRIBUTORS

VirusTotal's aggregated data is the output of many different antivirus engines,
website scanners, file and URL analysis tools, and user contributions. The file
and URL characterization tools we aggregate cover a wide range of purposes:
heuristic engines, known-bad signatures, metadata extraction, identification of
malicious signals, etc.


RAISING THE GLOBAL IT SECURITY LEVEL THROUGH SHARING

Scanning reports produced by VirusTotal are shared with the public VirusTotal
community. Users can contribute comments and vote on whether particular content
is harmful. In this way, users help to deepen the community’s collective
understanding of potentially harmful content and identify false positives (i.e.
harmless items detected as malicious by one or more scanners).

The contents of submitted files or pages may also be shared with premium
VirusTotal customers. The file corpus created in VirusTotal provides
cybersecurity professionals and security product developers valuable insights
into the behaviors of emerging cyber threats and malware. Through our premium
services commercial offering, VirusTotal provides qualified customers and
anti-virus partners with tools to perform complex criteria-based searches to
identify and access harmful files samples for further study. This helps
organizations discover and analyze new threats and fashion new mitigations and
defenses.


REAL-TIME UPDATES

Malware signatures are updated frequently by VirusTotal as they are distributed
by antivirus companies, this ensures that our service uses the latest signature
sets.

Website scanning is done in some cases by querying vendor databases that have
been shared with VirusTotal and stored on our premises, and in other cases by
API queries to an antivirus company's solution. As such, as soon as a given
contributor blocklists a URL it is immediately reflected in user-facing
verdicts.


DETAILED RESULTS

VirusTotal not only tells you whether a given antivirus solution detected a
submitted file as malicious, but also displays each engine's detection label
(e.g., I-Worm.Allaple.gen). The same is true for URL scanners, most of which
will discriminate between malware sites, phishing sites, suspicious sites, etc.
Some engines will provide additional information, stating explicitly whether a
given URL belongs to a particular botnet, which brand is targeted by a given
phishing site, and so on.

Updated 4 months ago

--------------------------------------------------------------------------------

Join Community
 * Table of Contents
 * * Free and unbiased
   * Many contributors
   * Raising the global IT security level through sharing
   * Real-time updates
   * Detailed results