A possibility to get a link to the scan results would be fine, as to link to a result in a discussion whether a certain file is infected. Otherwise all participants had to do the test themselves.
Possiblity to have file scanned more than ones. Maybe every hour for the next 24 hours? Every time there is change in the result an e-mail would be sent. Or choose your favorite scanner and changes in that result would be mailed.
First I would like to say that this is a great idea Jon mentioned...A possibility to get a link to the scan results would be fine, as to link to a result in a discussion whether a certain file is infected. Otherwise all participants had to do the test themselves.
Second, I think Vt , since it receives so many virus samples, should keep infected samples and archive them with their respective md5 hash as the name of the file, and make the available to av vendors on a ftp site. I think this is a good idea because many av vendors probably do not see as many samples as virustotal.com does. Some may reffer to this as collecting viruses using vs2000 and kaspersky.This would be great because any av vendors could visit the ftp site and check which viruses its current signatures detect and do not detect.
Lastly, I think Vt should include more statistics then it employs now. It would be cool to see which virus vendor detect the most threats out of so many samples or so many samples submitted and the last hrs or day ect ect ect
Hi! I think I have a solution for hardware problem. Tell all of AV associates that with adding a program they should add a PC that runs their program (PC would not be over $2K) and then create a cluster with each AV running on seperate computer. In return you can (if you are not alread) give them competitive statistics and other useful information or they can add any other informational services directly into their server. Then cluster servers can communicate over TCP/IP with enduser server (website). It's a winwin situation. bye.
Hello. This is truly a great service. I can understand that you're overwhelmed by the traffic (the only similar service I know of - http://virusscan.jotti.org/ - has a load of 100% almost all the time) and hope that you can gather enough resources to keep this problem managable.
To Henry: afaik VirusTotal already shares the results with AV companies.
To Jon: this is a gread idea, and I see two possibilities: VirusTotal may offer some way to embed HTML code in other forums (so when you finish a scan, the results are stored in a database and you get a post saying: to post these results in a forum use the code below and then a HTML code which would link back to the virustotal server). This would have the advantage that people don't have to migrate over from other forums (as opposed to the case that you wan't to creata a local discussion list on every file).
Alos, there would be nice if there was a possibility to embed a HTML code on your page which create a form to submit a file directly to virustotal. This could be put on forums which discuss such things.
I'm a pretty decent web / javascript / html developer and I would be happy to help if necesarry.
Also, I think that the checkbox below should say:
"Remember your info. in a cookie?"
well i must say several of the above suggestions are quite strange for me...
about the link to the scan results... VT would have to store all this additional data and i don't understand why it is so hart to simple copy and past the results in a discussion/forum.
about the possibility to have file scanned more than ones... this one i think could be quite a good thing. however i don't understand the real idea behind the setting it up for a favorite av. what i think could be a very useful implementation of this is in the case when an suspicious file would be at first scan flagged as clean, then it would be nice if the user could provide its email, so that for example in the next 24h the file would get detected by an av, the user would get automatically informed about that.
VT is already sharing its samples with av vendors.
about more statistics... this could potentially be dangerous for the service. several of the av vendors don't like to show the real statistics, because they could lose market because of this. and so more statistics could result in some vendors removing their scanners from the service.
my suggestion: i think there are allot of users that use this service to upload new malware so that different av vendors can add detection for it. i do it sometimes. the difference in this case is that the actual scan results are not important, it is only important that the samples get uploaded so av vendors can review them and add them. so my suggestion is to add an option where samples could be just uploaded to the server and no scan would be done. this will save some resources and time. this is specially useful in cases when someone would like to upload a bit larger virus collections.
I think that copy-pasting a little HTML code is easier and more accesible to the average user, than creating a screenshot for example and cropping out the scan results. It would also take up very little space in the database (the file does not need to be stored, only the results from each engine).
I think you gonna do a service, that scan html links for search for virus, this a good service, you gonna do for us.
While the scanning of certain files given their URL is certainly doable (and quite easy to implement), the scanning of "html pages" probably won't give the results you are hoping for. This is because, the pages which contain exploits / drive by downloads / other malware you most probably would like to scan for:
- give different results based on the user agent string (so you must at least spoof that)
- are "encrypted" with javascript
- most probably it's not the "html page" which contain the malicious stuff, but some additional file referenced by the html file (an activeX control for example)
So it is quite complicated (if not impossible) to give a reliable result on the scanning of a site.
Dear VirusTotal people,
Congratulations! You do a great job. This is one of the best and most useful sites on the Internet. Please keep up with the good work. You really deserve a big THANK YOU from all of us for all what you do and offer as a public service.
I hope the antivirus companies understand what a great job you do and support you with all means.
Chris
An easily scriptable text-only interface would be nice. Some of us are submitting samples with lynx, and all that nice Shockwave Flash art is lost :)
To keep the load under control, you could hand out "keys" for the script API like Google does with their services.
Other than that: thanks! for a great tool.
Yes, you guys truly rock!
The problem with "copy and paste" is that tables are completely lost that way. The results usually look horrible. So, linking to VT would reduce this problem. It would also reduce the amount of files uploaded to VT, because not the whole forum had to test this over and over. (Oh, and since this was not clear: I meant including in discussions on existing forums, not starting a forum here)
Perhaps it could be solved similar to those quiz-sites, where they give you a code to show the result in your page / blog / whatever.
Stupid question: Do you know if it is possible to get an OLD rack from google?
This is a task which parallelizes very well, so the only disadvantage older systems have is the power/op. Since google optimizes for power/op, it might actually be better than new high-end systems.
Your service is very good, although it is true that now belongs quite slowly. We have to wait a lot until a sample virus is analyzed by the AV programs. All the efforts in order to rise the analysis will be appreciated by those who deal with this tasks.
You are pioneers in the virus collaboration analysis, you really help me in my daily work.
Best regards,
- Plain text results:
it would be really nice to have the option of having parseable plain text as the result of a scan. It would be easier to automate the scanning of files and the parse of results (something that could lead to a VT API, as someone said). I know the scan results sent to scan@ are parseable, but they take a too long time to get back.
I love this site and I use it almost every day to scan files. However, the biggest problem I have is that when you copy the report, the result is different in IE and Firefox. In order to parse the information easily, it would be great if the copied text would be exactly the same. Sure, my current program can make the difference, but it would be a lot nicer if IE could copy the tabs, instead of a double space, so it would be the same as Firefox.
What also would be a very nice addition, would be some sort of 'Status'-statement when the scanning has finished. Just like virusscan.jotti.org and scanner.virus.org, so you don't need your own algorhitm to determine whether it's infected/harmful or not when parsing the scanresults.
Whether you do something with these requests or not, it still remains an awesome service you're providing and I thank you for it.
It is a shame that Mircrosoft can't come to the party to be a sponsor of http://www.virustotal.com as there engine in involved as well they make alot of money off software maybe a letter to Bill Gates can be written or to the right person on the board of the Microsoft Corporation I am shore they will see the good side of this project to hand over some money to get the best of the best so the system will run to what is needed to handle the work load of http://www.virustotal.com I just wish I could do it myself and I am shore there is others as well out there think that as well. So come on Microsoft come do something about it so this service runs to what is needed to be the best antivirus service around on the net to serve other antivirus companys as it can be the central location for companys to get there undetected samples plus your own as well even the big anyvirus companys can help on this matter.I am shore the virustotal team has alot of ideas for virustotal.com
Can Virustotal tell us what they are working on. Thank You
I maybe wrong about this but I may have a good idea;)
Instead of passing every single uploaded file to the command line scanners, why do you md5 hash and or sha1 the file then pass it to the scanner. Cache the results of the scan and keep them present for 15 minutes or however long you choose on the site. So now when a dupe according to the md5 and or sha1 appears, show the cache results to save the scanners from being bottlenecked. Then when the time limit expires on the md5 and or sha1 file, have it passed to the command line scanners again and start the process all over again. I think its a good idea but I wonder if its possible to produce fake md5 or sha1 files?
This is a great service and much appreciated.
As a developer whose software had false "suspicious" / positives from four of the engines (now resolved, with those A-V engines' signatures adjusted), I'd like to point out that sharing results with A-V companies needs to be done with caution in case a flag of "suspicious" from one becomes a flag of "virus" from others.
Thanks
YOU GUYS ARE A PACK OF ITIOTS! WHEN YOU CLICK ON THE 'DO NOT DISTRIBUTE' BUTTON, THEY STILL DISTRIBUTE YOUR SUBMISSION TO ANTI-VIRUS COMPANIES AND OTHER COMPANIES EVEN THOUGH YOU ARE JUST CHECKING TO MAKE SURE YOU'RE OWN SOFTWARE IS NOT INFECTED.
THEY ARE LYING, CHEATING BASTARDS AND WE HAVE TESTED THIS ON OUR TEAM TWICE NOW, USING CHANGED SUSPICIOUS FILES, AND THEY APPEAR IN THE ANTI-VIRUS DEFINITIONS WITHIN A FEW DAYS EVERY SINGLE TIME - THAT IS, HAVING TESTED WITH A FILE THAT IS UNIQUE AND NO ONE ELSE COULD EVER HAVE OR GET AHOLD OF!
STAY AWAY FROM THESE DICKHEADS!
To whom it may concern,
I need some help as I have tried various virus, spyware and adware detecting software to no avail. I am paid for subscription to AVG Anti-Virus till December but it is not working on my main problem and not even listed on your site.
An "Urgent System Message : Virus! " with a little yellow triange containing an exclamation mark keeps appearing on my task bar on the right hand side amongst the printer, speaker and AVG icons. This text box says
"Urgent System Message : Virus!
Your computer is infected with last version
of internet trojan (iworm_attck_v122.02a).
It is highly recommended that you install
antivirus software. Click the icon for more
information.
The icon has to be double clicked to do anything and this redirects to a web page in Internet Explorer for "The Spy Guard" Software? This seems awfully suspicious to me like a virus created to get you to allow something to get a bigger foothold inside my computer and the worst bit is they want money to even scan my system let alone load their software.
Also getting similar message showing (OHPE ver 4.12_23) in the brackets with similar redirect.
And popups from System Doctor, Ad Protect and Virus Blast. Other seemingly unrelated popup windows from adultfriend finder and gold casino(or something).
Can you help or do you know of something legitimate that can?
Regards,
Jeff Debooy
Just want to say a BIG thanx for providing the Free service. I use it often and also recommend it to many people too. It has and continues to be a very valuable asset in my online toolkit.
I don't see why anybody should object to having Any samples transferred on to the vendors. The service is Free after all, so at least VT and the others are getting something back for all this !
Spanner
SpannerITWks
YOU GUYS ARE A PACK OF ITIOTS! WHEN YOU CLICK ON THE 'DO NOT DISTRIBUTE' BUTTON, THEY STILL DISTRIBUTE YOUR SUBMISSION TO ANTI-VIRUS COMPANIES AND OTHER COMPANIES EVEN THOUGH YOU ARE JUST CHECKING TO MAKE SURE YOU'RE OWN SOFTWARE IS NOT INFECTED.
Yeah I guess we are a pack of ITIOTS lol nice spelling by the way. But its true we are so god damn stupid to figure out that when clicking the do not distribute button, it still distributes the sample to other companies. Only idiots would figure out that the do not submit samples button does what it actually says.
So I guess in a sense we are all a bunch of idiots(smart people) while "a programmer" is smart (aka stupid) LOL
Be carefull "a Programmer", if you stay to tense for so long your penis will go limp and you will never be able to get it up again.
I don't see why anybody should object to having Any samples transferred on to the vendors. The service is Free after all, so at least VT and the others are getting something back for all this !
I agree
I think VT should just completely get rid of that button. I don't see any good for not submitting files to other vendors. Its just a waste of Pixel space lol
I could see use for the do not submit button if someone is uploading a valuable file with personal information to VT and doesn't want any vendor to see the contents of the file, but I believe that its common sense that if you transferr any file outside your computer and onto the internet that it is possibly viewable by ANYONE who maybe sniffing your packets or the NSA or anyone looking for something to be curious about.
>> YOU GUYS ARE A PACK OF ITIOTS!
Your spelling of the word idiots convinces us of your mental prowess... yeah, right.
>> WHEN YOU CLICK ON THE 'DO NOT
>> DISTRIBUTE' BUTTON, THEY STILL
>> DISTRIBUTE YOUR SUBMISSION TO
>> ANTI-VIRUS COMPANIES AND OTHER
>> COMPANIES EVEN THOUGH YOU ARE JUST
>> CHECKING TO MAKE SURE YOU'RE OWN
>> SOFTWARE IS NOT INFECTED.
How do you know? That isn't what you use the system for, is it?
>> THEY ARE LYING, CHEATING BASTARDS AND
>> WE HAVE TESTED THIS ON OUR TEAM TWICE
>> NOW,
What team is that? Team spell check? Team script kiddie?
>> USING CHANGED SUSPICIOUS FILES,
What happened to just checking your software to make sure it isn't infected?
>> AND THEY APPEAR IN THE ANTI-VIRUS
>> DEFINITIONS WITHIN A FEW DAYS EVERY
>> SINGLE TIME - THAT IS, HAVING TESTED
>> WITH A FILE THAT IS UNIQUE AND NO ONE
>> ELSE COULD EVER HAVE OR GET AHOLD OF!
Let me guess. You modify a "suspicious" file and submit it. Now your own AV solution doesn't detect it so you send a sample to your specific AV vendor. News Flash!!! Virus researchers share samples!
>> STAY AWAY FROM THESE DICKHEADS!
Tell us where you are and we'll stay away from you Mr. Wishihada Dickhead
Hey funny thing, we have the same email addy!
I understand that every antivirus program here does not need to be updated to its current version, BUT, i think ATLEAST you should update symantec and sophos so they can detect adware.
I believe this shouldbe done because one its gives VT inaccurate stats in the falures of detections graph, and it also gives us a false sense of security by not showing adware resutls ]
I WOULD really like to see a hard drive scan incase there is a infected file that has spread
May I suggest that instead of the current method the url of the scan result be it's MD5 or SHA1 thereby linking directly to results if the file has already been scanned. eg. http://www.virustotal.com/vt/en/resultadof?(%MD5%)
This would surely reduce service load.
Then the file need only be re-scanned by engines that have updated since the last result instead of all of them every time.
HTH
Thanks very much for a competant and useful service. Sadly i have no suggestions, all i would like is it to be a bit faster which i know is something you are already trying hard to achieve. Thanks again.
p.s. To that ITIOT (lol) supposed programmer, i'm greatful that they ignored your request as you seem to be using this service to check whether your own modified virus/trojan is detectable.. hopefully they kept your IP address and monitored your submissions.
Out the interest what the current hardware spec and hardware layout
maybe up for donating some hardware / or part funded via donations
please make more service load so that it doesn't get overloaded or a limited people scanning at once
please make more service load so that it doesn't get overloaded or a limited people scanning at once
please make more service load so that it doesn't get overloaded or a limited people scanning at once
Great job! Congratulations.
You already provide sending samples through eMail which is quite convenient. Maybe you could offer the possibility for us to send PGP encrypted samples via eMail. Some servers may not allow some payloads.
i use to send multiple suspicous files in one time (collection pack) because this is more convenient but in the result page only one virus is listed even if there are many. so you should give names of all infected files not the first one catched by the engine...
TY
-----------------------------------------------------------
Hello,
I would just like to comment on the person or persons who left the following mean spirited comments.
Allow me to intelligently answer these comments.
> YOU GUYS ARE A PACK OF ITIOTS!
I will not dignify this with A response , because im not A grammar notzi at this time, however I would suggest you find A spellchecking program as soon as possible.
Google's GMAIL service is A good start.
> WHEN YOU CLICK ON THE 'DO NOT
> DISTRIBUTE' BUTTON, THEY STILL
> DISTRIBUTE YOUR SUBMISSION TO
> ANTI-VIRUS COMPANIES AND OTHER
> COMPANIES EVEN THOUGH YOU ARE JUST
> CHECKING TO MAKE SURE YOU'RE OWN
> SOFTWARE IS NOT INFECTED.
Very simply.
If you have A file or files you do not want all or parts of distributed to other online entities , then don't submit them.
And if you have something THAT valuable, something of SO much value on your computer that you do NOT want anyone to see , I believe you either. ...
Must have something to hide yourself.
Or are just trying to incite hostility.
> THEY ARE LYING, CHEATING BASTARDS AND
> WE HAVE TESTED THIS ON OUR TEAM TWICE
> NOW,
By your use of the word "OUR" it seems to me that you work for A company , And if that is the case you and your company may(Hell Probably) have reason to infact incite such hostility.
> USING CHANGED SUSPICIOUS FILES,
By that statement I am assuming you are referring to the files the patrons of this site send in for scans(review) .
Well SIR/MAM if you believe that.
A.) They are using changed files .
And
B.) YOUR "TEAM" has further researched there process .
Then. I suggest 2 things.
A.) You and your "TEAM" Try further testing there site and the process they use by actually sending them A file that has A NON intrusive virus/Trojan or data miner VARIANT.
And see what you come up with.
(It's amaizen the process of elimination it really is)
B.) Take A look at there review from there patrons here and further with SiteAdvisor.com .
If A site this popular was doing anything further from what they advertise.
Then they are either ignorant enough to stick there necks out like they have or you or other entities are conspiring with them to data mine Using erroneous information I might add.
Do you realize how many erroneous files and "honey pot" files are sent to data protection services all day long by the NSA and other government controlled consumer protection operations ?
Hell the justice dept must send microsoft millions of data A day just to keep tabs on them.
Just how much criticism do you think new startups like VirusTotal.com get ?
If you believed so passionately that they are doing something to hurt end users then you have only helped them with your post more.
> AND THEY APPEAR IN THE ANTI-VIRUS
> DEFINITIONS WITHIN A FEW DAYS EVERY
> SINGLE TIME - THAT IS, HAVING TESTED
> WITH A FILE THAT IS UNIQUE AND NO ONE
> ELSE COULD EVER HAVE OR GET AHOLD OF!
By that I am assuming you are referring to the actually proprietary process they internally use to scan files.
From A legal standpoint you have no right in any place or time to post such roderic.
However this day in age anything is possible and the passion you have put in your post is obviously either your first time using A posting system or misunderstood.
I would like some type of follow up on this post.
Being verbosely serious in closing ...
Really sir/mam you need to think long and hard , If A site as popular as VirusTotal.com was trying ANYTHING malicious then they either has to much time on there hands or are clearly ignorant.
To sum things up it seems to me you are either uninformed or don't realize things like file streaming , threading , caching , process power assigning(Like SETI uses) are in existence.
OR
You have some unforeseen grievance currently with OR against VirusTotal.com
Stop waisting bandwidth and get A grip!
PS:
One last thing , WE are not A -PACK- of idiots. , Not everyone who posts here uses VirusTotal's main service.
One thing , -I- would like cleared up ASAP is why/how you guys are using old versions of software versions but new versions of the deffinitions ????????
Thank you for your humble service.
@drailed: we use the scanners vendors provide us with. the problem is that as we use command line versions, we don't allways have the chance to use the 'last versions available'. There's some excepcions like Symantec and Kaspersky (we're working with them for implementing something more recent).
Thanks for your constructive messages.
Thank you for your reply :)
I myself didn't even realize you could utilize your resources like you have using a Disc Operating System .
I guess you would need to seeing the thousands of files you probably scan within A week.
This just goes to show how uneducated end users can be , even me , A now UDRP of many years.
I believe my only requests in the future would be.
-Unionization into the entire site of even more languages.
I see you allready have 2.
-Possibly DATA protection and IT security service you could offer medium to small business.
Similar to [HackerSafe]
Finally even in your transition to your upcoming new theme (2.0)
I would like it if there was A page like "Support Us" and "About" that would explain A little more about the service and how we the end users can support Vt , , , Monetarily , Threw Exposure , Threw General everyday use , and correspondent decore/etiquette.
Again thank you for your time and reply , I wish you well in your transition.
Truely,
ŠRAILED
How about paid subscriptions. For, lets say, 10$/year you get premium access to the scanservices so you don't have to wait and can scan up to 10 files/day with premium access. I would surely buy that.
You can't let the users pay for using the scanners (as you're only licensed to use them, not to rent them, I reckon), but you can let users pay for quicker access to them.
Let me know what you think.
Virustotal is a great service and the addition of caching based on the hash value has made it even better. Thanks!
Two additional suggestions:
- Display the hash (and check for chached results) directly after submitting. That will reduce waiting time for repeated submissions, while still not degrading service for anyone else.
- Check the hashes of files in archives, not the hash of the archive itself. I've often seen .zip files with identical contents, yet different hashes of the .zip because the timestamps of the included files varied. That could reduce the load because archives with identical content do not have to be scanned twice. However, there may be cases where the used unpacker fails to extract a file which gets extracted by other unpackers and may contain malicious code overlooked that way.
I think of some email relay server that applies all the virus scanning activities to the emails I relay to them, and then sends them back. The results could be incorporated into the email by headers, i.e. :
X-Virustotal-Scan: Sophos - not infected
X-Virustotal-Scan: F-Prot - found XYZ
(...)
X-Virustotal-Result: Infected 3 out of 12
or
X-Virustotal-Result: No virus detected
I have not thougt about the relay mechanism yet, maybe there could be some kind of SMTP stuff, or an email relay on the client computer, some kind of POP3 collecting mechanism, or something else.
For such an " multiple scan" email virus detector service I would be willing to spend some small monthly fee, by that way supporting the free sample scanning service.
Just another idea:
Vt could store the file identification characteristics (File size, MD5, SHA1), the first date of submission and the number of submissions for a limited time (i.e. 1 week) in a database. Even if nothing was detected, it could issue an info statement like "There have been 16589 files submitted to VirusTotal with the same File size and MD5/SHA1 checksums since 18.08.2006. This is a statistically [low, medium, high, very high, enormous] amount. Many submissions imply that the file is suspicious to many people, even if no malware was detected by VirusTotal."
If a file reaches a certain submission count, it could be forwarded to the av's with some "high suspicious" alert tag.
Just another idea for improved performance:
Store the hashcodes in a database along with the positive results (detected malware by an av). When scanning a submitted file, just display the hash codes and cached results, and only do the scans that revealed no malware detection. To reveal detection changes (renamed malware, i.e.), store a timestamp of the last full scan done. If that timestamp is too old (i.e. 1 hour), redo a full scan on the next sample submitted.
Cached results should be marked and a full scan should be allowed by user interaction.
This could drastically boost the overall throughput on files that are submitted frequently.
Please send trackbacks to: http://blog.hispasec.nospam/virustotal/7/tbZ3ping
Replace "nospam" with "com"
There are no trackbacks.
