Blog VirusTotal

We have added ViRobot to the list of engines used at VirusTotal. This engine is built by Hauri, and we hope that will add more detection power to VT regarding malware created in the asian zone.

We've recently added the PCTools engine to VirusTotal. It is a nice addition as it includes TreatExpert links whenever a sample has been processed by that great tool of the company.

The Trend Micro engine is back to VT, adding to the service the power of one of the most known AV companies worldwide.

We've been working latelly in some features that probably users already noticed. We've changed the load balancing system so now results shown in the web interface are faster to appear. This change makes engines appear not in the usual alphabetic-ordered way, but they're sorted in the screen while they're generated. We've also included some basic info for PE (Portable Executable) files, that can be useful for technical users of the service. We've also added the engine from G-Data, and we're working in including more engines in the close term. Finally, we've included a new section for checking hashes (md5/sha1/sha256) so users can get reports from samples that we've already analysed.

We were informed yesterday that VirusTotal Uploader, our small tool to submit files to VirusTotal via Windows context menu, has won an award in the US edition of PC World and has been published in their '101 Fantastic Freebies' list, in fact heading their security section. Thanks a lot guys!

In the last few days, several articles have been published (1,2,3,4), pointing to the "Do not distribute the sample" option in VirusTotal as a tool used by malware developers to avoid detection by AV engines. The reality is quite different and this is a mistaken interpretation. Nevertheless, as a preventive measure, we have agreed with AV developers to delete the "Do not distribute the sample" option from the VirusTotal website, as to prevent potentially malicious uses of that option.

When we launched VirusTotal back in 2004, the non-distribution option was intended to allow the analysis of files and documents containing sensitive data with the complete certainty they would not be sent to AV labs at all. Until now, the main use of this option has been the aforementioned: Analyzing Word files, PowerPoint presentations, PDF files, etc., that contained sensitive data.

Besides this initial function, afterwards we realized other alternative uses could be applied, by both, computer security professionals and malware specialists, as well as malware developers. As explained in the post "The Darker Side of Online Virus Scanners" in Kaspersky's blog, malware developers do not trust VirusTotal and have found their own methods to test their creations in multi-AV services.

Although in the story from Kaspersky a pay underground service becomes the anecdote, at Hispasec we have been aware of underground tools, ready for download, that automatically analyze samples with over 20 AV products in your own computer. These tools use free/shareware/pirated versions of the AV engines that the AV developers make available for download in their own websites. Also, the online AV services based on ActiveX and similar services can be used individually for detection tests in your own computer without sending the malware to third parties.

Example of underground tool

There is an additional technical reason that renders VirusTotal useless for malware developers to learn how to get around the detection of AV engines. Recently, AV solutions have incorporated new technologies, such as detection by behavioral analysis, that aren't available in the classical AV engines based on signatures and heuristic analysis of code that are used in online services. In order to test whether a specimen of malware is detected by these new technologies, the malware must be executed in a system with the AV program installed and activated. This is the reason why professional malware developers maintain many virtual machines with different AV solutions installed in order to execute and test their samples locally, without using online services such as VirusTotal.

So, should AV developers remove their online AV programs? Should they stop providing demo versions of their AV programs to avoid a potentially malicious use? Obviously, we do not think so. If those measures were taken, the worst affected would be legitimate users, since malware developers would still use AVs fraudulently, with pirated versions or properly acquired versions. We mustn't forget that there is a true industry with plenty of resources, ready to make loads of money, behind most current malware.

The use of the non-distribution option was mainly legitimate. Honeypots, CERTs, AV labs, and malware specialists frequently used this option in different processes. Precisely, AV labs knew our non-distribution option worked for sure since they could test this option anonymously and check whether they received the sample or not, while malware developers had no way of testing our system at VirusTotal and hence their lack of trust in our non-distribution option.

Besides all that has been said, we must clarify that the default use of distribution vs. non-distribution was overwhelming. Over 85% of all samples identified as malware in VirusTotal were submitted as distributable, and automatically forwarded in real time to all AV labs whose engines did not detect said samples.

Nevertheless, at VirusTotal we find appropriate to delete the anonymous and indiscriminate non-distribution option in our website to avoid possible suspicions on the use of VirusTotal. We apologize if this measure proves to be inconvenient for the people who used this option legitimately.

VirusTotal is a reliable service that works in close collaboration with the AV industry. All functionalities and decisions in VirusTotal are agreed upon with all AV developers that participate in our service, and we are open to all suggestions about improving our service so it proves more helpful for our community.

The increasing number of AV engines and the new web interface that we started using a few months ago for VirusTotal have meant, as an undesirable side effect, a more difficult time when doing a screen capture of the complete results of an analysis to publish them in web pages.

Although we introduced the new function "Compact" in the results page, that allows the user to compress a report and view it in several formats to avoid scrolling and to make copying & pasting easier, we have realized it would be far more convenient to be able to use links to refer to results.

Until yesterday, URLs referring to VirusTotal results would expire within 20 minutes. From now on, URLs referring to VirusTotal results will be active for days and will never expire once they are linked and visited.

This way, instead of doing a screen capture or copying data, we will be able to refer to specific analysis results by using a link to the URL that appears in the browser, for instance:
http://www.virustotal.com/resultado.html?726c9e52b80f4e52e39d9008e980aeab