Tuesday, 6 March 2018

Additional Crispiness on the MacOS box of apples sandbox

In November 2015 we first released our MacOS sandbox. We now have an incremental feature improvements live on our site to help our users get further behavioral information from samples scanned with VirusTotal

Several improvements visible to users are:

  • Sandbox updated to OSX 10.11 El Capitan in sandbox.  We have a High sierra update planned for later this year. 
  • Detailed HTML analysis report is now available. 
  • Screenshots of the software under analysis to provide more contextual information:
    • Show screenshots of what a user would see
    • Help determine if the sample is waiting for user input
  • Network traffic reports updated
    • Country Detection
  • Timestamps on file operations,  to help show the sequence of events.
  • Process tree is shown if there is more than one level of processes

To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link

Click on the detailed behavior report. 

Some Samples that might be interesting, that contain the new features:

Screenshots and File operations

DNS, IP Traffic and Behavior tags

This is part of the Multi-Sandbox project.    We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.

If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing  contact@virustotal.com

Wednesday, 24 January 2018

VirusTotal and Chronicle

It's been more than five years since Google acquired VirusTotal. Today we have another update: VirusTotal will moving to become part of Chronicle, a new Alphabet company focused on cyber security. This update, like our move to Google a few years back, does not change the mission or focus of VirusTotal. We'll continue to operate independently, focused on our mission of helping keep you safe on the web.

For press inquiries, please contact press@chronicle.security

Monday, 8 January 2018

VirusTotal Graph

VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.

It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.

It is a visualization tool built on top of VirusTotal’s data set. It understands the relationship between files, URLs, domains and IP addresses and it provides an easy interface to pivot and navigate over them.

By exploring and expanding each of the nodes in your graph, you can build the network and see the connections across the samples you are studying. By clicking on the nodes, you can see at a glance the most relevant information for each item. You can also add labels and see an in-depth report by going to VirusTotal Public or VirusTotal Intelligence report.

The tool is available in https://www.virustotal.com/graph/ or through a public report in the tool section (VirusTotal login is required):

You can save the graphs, so that you can go back to your investigation any time and share your findings with other users. By clicking in the bottom right corner we generate a permalink which loads the graph as you see it in your screen. All saved graphs are public and linked in VirusTotal public report when the file, URL, IP address or domain appear in the graph. We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution -- expect to see some news around it soon.

The documentation is available at

These are two YouTube videos explaining the main features:
Files Tutorial 1 - https://youtu.be/QEqHXU04IkI
Domain Tutorial 2 - https://youtu.be/xe2busIlkP4

Last but not least, we are still in an early stage of the tool and we’d be delighted to receive your feedback/comments here.

Thursday, 9 November 2017

Malware analysis sandbox aggregation: Welcome Tencent HABO!

VirusTotal is much more than just an antivirus aggregator; we run all sorts of open source/private/in-house tools to further characterize files, URLs, IP addresses and domains in order to highlight suspicious signals. Similarly, we execute a variety of backend processes to build relationships between the items that we store in the dataset, for instance, all the URLs from which we have downloaded a given piece of malware.

One of the pillars of the in-depth characterization of files and the relationship-building process has been our behavioural information setup. By running the executables uploaded to VirusTotal in virtual machines, we are often able to discover network infrastructure used by attackers (C&C domains, additional payload downloads, cloud config files, etc.), registry keys used to ensure persistence on infected machines, and other interesting indicators of compromise. Over time, we have developed automatic malware analysis setups for other operating systems such as Android or OS X.

Today we are excited to announce that, similar to the way we aggregate antivirus verdicts, we will aggregate malware analysis sandbox reports under a new project that we internally call "multisandbox". We are excited to announce that the first partner paving the way is Tencent, an existing antivirus partner that is integrating its Tencent HABO analysis system in order to contribute behavioral analysis reports. In their own words:

Tencent HABO was independently developed by Tencent Anti-Virus Laboratory. It can comprehensively analyze samples from both static information and dynamic behaviors, trigger and capture behaviors of the samples in the sandbox, and output the results in various formats.
One of the most exciting aspects of this integration is that Tencent's setup comprises analysis environments for Windows, Linux and Android. This means that it will also be the very first Linux ELF behavioral characterization engine. 

These are a couple of example reports illustrating the integration:

Whenever there is more than one sandbox report for a given file, you will see the pulsating animation in the analysis system selector drop-down.

Please note that sandbox partners are contributing both a summarized analysis and a detailed freestyle HTML report. On the far right of the analysis system selector bar you will see the sandbox's logo along with a link to the detailed HTML report. This is where partners can insert as much fine-grained information as wanted and can be as visually creative as possible, to emphasize what they deem important.

We hope you find this new project as exciting as we do. We already have more integrations in the pipeline and we are certain this will heavily contribute to identifying new threats and strengthening anti-malware defenses worldwide.

If you have a sandbox setup or develop dynamic malware analysis systems please contact us to join this effort.

Thursday, 26 October 2017

VirusTotal += Cybereason

We welcome Cybereason scanner to VirusTotal. In the words of the company:

“Cybereason has developed a comprehensive platform to manage risk, including endpoint detection and response (EDR) and next generation antivirus (NGAV). Cybereason’s NGAV solution is underpinned by a proprietary machine learning (ML) anti-malware engine that was built and trained to block advanced attacks such as never-before-seen malware, ransomware, and fileless malware. The cloud-enabled engine conducts both static binary analysis and dynamic behavioral analysis to increase detection of known and unknown threats. Files submitted to VirusTotal will be analyzed by Cybereason’s proprietary ML anti-malware engine and the rendered verdicts will be available to VirusTotal users.”

Cybereason has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SE Labs, an AMTSO-member tester.

Friday, 13 October 2017

VirusTotal += eGambit

We welcome eGambit Artificial Intelligence engine scanner to VirusTotal. This module is part of the whole eGambit solution developed by TEHTRIS company, in Bordeaux, France. In the words of the company:

“eGambit, the Cyber Defense Arsenal, was created by the TEHTRIS company. This new take on cybersecurity, proposes unified enhanced technologies : advanced Endpoint Security agents, unlimited SIEM, Honeypots, NIDS, Deep Learning, etc. eGambit offers a worldwide 24/7 Security Threat Monitoring, Breach Assessment and Incident Response Service. In particular, the eGambit Artificial Intelligence engine module, deployed on VirusTotal, fight against unknown Windows malwares such as stealth spywares, ransomwares, keyloggers, viruses, etc.”

TEHTRIS has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SKD-LABS, an AMTSO-member tester.

Thursday, 14 September 2017

VirusTotal += Avast Mobile Security

We welcome the Avast Mobile Security scanner to VirusTotal. This engine is specialized in Android and reinforces the participation of Avast that already had a multi-platform scanner in our service. In the words of the company:

"Avast Mobile Security is a complete security solution capable of identifying potentially unwanted (PUP) and malicious apps (TRJ). The app protects millions of endpoints on a daily basis using a wide range of cloud and on-device-based detection capabilities. Our hybrid mix of technology, which includes static and dynamic (behavioral) analysis in conjunction with the latest machine learning algorithms allow us to provide state of the art malware protection.

Avast has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-TEST, an AMTSO-member tester.