Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

What happens when the download link is scanned by virustotal


  • Please log in to reply
7 replies to this topic

#1 FNActivity

FNActivity

  •  Avatar image
  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 AM

Posted 22 February 2024 - 05:06 AM

If I give a download link to virustotal, how will it scan it? Does it only search the link in the database? I don't think virustotal will download and scan the file, it is illogical, for example, I gave virustotal the download link of a 30 GB file and it showed the result in 5 seconds.

 

Model of your computer 

Dell Precision M6700
 

Windows specifications 

Edition Windows 10 Pro

Version 22H2
Installed on ‎2020-‎11-‎16

OS build 19045.3996

Experience Windows Feature Experience Pack 1000.19053.1000.0

 

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:09 AM

Posted 22 February 2024 - 06:26 PM

Malware samples uploaded to VirusTotal, Jotti's Virus Scan, and a few other similar sites is distributed to each anti-virus vendor that chooses to participate in the service but that participation list changes from time to time. This is the current list of the companies that take part in VirusTotal with their anti-virus engines.
 
How VirusTotal Works - VirusTotal Documentation Hub
 

File Searches

VirusTotal Intelligence allows you to search through our dataset in order to identify files that match certain criteria (hash, antivirus detections, metadata, submission file names, file format structural properties, file size, etc.). We could say that it is pretty much like the "Google" of malware.

About VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners...VirusTotal.....a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect.....Very often antivirus solutions and URL scanners will produce false positives...VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use off. False positives should be dealt with the developer/company that offers the product generating the erroneous detection.

  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/aggressiveness level than the official end-user default configuration.

 
If an anti-virus vendor that you use is also on the VIrusTotal list and the scan results appear to show discrepancies with your own scan results, these could be the result of different database definitions. One may be more current than the other. Further, VirusTotal uses command-line versions of anti-virus programs that require no installation so they can run multiple anti-virus solutions on one Windows machine and detection methods as well as behavior can differ. Each vendor decides which version of their product will be used by VirusTotal and how it has to be configured...and that configuration can be different from yours as explained below.

For more information, please read Didier Stevens' interview with Julio Canto from VirusTotal.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#3 FNActivity

FNActivity
  • Topic Starter

  •  Avatar image
  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 AM

Posted 22 February 2024 - 07:09 PM

 

Malware samples uploaded to VirusTotal, Jotti's Virus Scan, and a few other similar sites is distributed to each anti-virus vendor that chooses to participate in the service but that participation list changes from time to time. This is the current list of the companies that take part in VirusTotal with their anti-virus engines.

Thank you, I didn't know this

But I don't understand how it downloads a 20 GB file, scans it and sends the result in 5 seconds ( It does all these steps in 5 seconds )

You said that antivirus companies do this

It makes sense only in one situation: the server of the file I want to download has the antivirus of one of the companies that provide service to Virustotal, and it has already checked that file and Total Virus only gets the result from that server?


Model of your computer 

Dell Precision M6700
 

Windows specifications 

Edition Windows 10 Pro

Version 22H2
Installed on ‎2020-‎11-‎16

OS build 19045.3996

Experience Windows Feature Experience Pack 1000.19053.1000.0

 

#4 1PW

1PW

  •  Avatar image
  • Members
  • 460 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:North of the 38th parallel.
  • Local time:09:09 PM

Posted 23 February 2024 - 11:42 AM


But I don't understand how it downloads a 20 GB file, scans it and sends the result in 5 seconds ( It does all these steps in 5 seconds )

 

Hello @FNActivity

 

Your take on what happens is slightly flawed. You upload the file to VT, not download. Once. uploaded, VT calculates the file's hash. Then…

 

When a file is uploaded, its hash is calculated and compared to those files already analyzed. If already scanned, the previous results are placed in a reply to you. Even if the file was analyzed years ago, those results are placed in the reply. Hence, a rapid response from VT.

 

If no matching hash is on file, then a new analysis must take place. VT will likely request a confirmation upload. Then that analysis will take much longer than five seconds.

 

If a file was scanned a long time ago, you may elect to request a reanalysis. That reanalysis will again take much longer than five seconds.

 

Does the above improve your depth of understanding now? Cheers.


Edited by 1PW, 23 February 2024 - 11:46 AM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus. https://forums.malwarebytes.com/profile/17252-1pw/


#5 Porthos

Porthos

  •  Avatar image
  • Members
  • 1,044 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 23 February 2024 - 12:04 PM

 

 

Malware samples uploaded to VirusTotal, Jotti's Virus Scan, and a few other similar sites is distributed to each anti-virus vendor that chooses to participate in the service but that participation list changes from time to time. This is the current list of the companies that take part in VirusTotal with their anti-virus engines.

Thank you, I didn't know this

But I don't understand how it downloads a 20 GB file, scans it and sends the result in 5 seconds ( It does all these steps in 5 seconds )

You said that antivirus companies do this

It makes sense only in one situation: the server of the file I want to download has the antivirus of one of the companies that provide service to Virustotal, and it has already checked that file and Total Virus only gets the result from that server?

 

VT does not scan download links. To scan a file YOU must download the file to your computer and upload it to VT.

VT has a size limit of 650 mb for upload if I remember correctly.

 

Virus Total can not assist with a 20GB file.
 


Edited by Porthos, 23 February 2024 - 01:04 PM.


#6 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:09 AM

Posted 23 February 2024 - 12:54 PM

Should I upload files larger than 650MBs?

Files larger than 650MBs tend to be bundles of some sort, (compressed files, ISO images, etc.) in these cases it makes sense to upload the inner individual files instead for several reasons...


... the server of the file I want to download has the antivirus of one of the companies that provide service to Virustotal, and it has already checked that file and Total Virus only gets the result from that server?

Your server antivirus is not the same. As I said above, VirusTotal uses command-line versions of anti-virus programs....and detection methods / behavior can differ.

 

AV product on VirusTotal detects a file and its equivalent commercial version does not

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#7 FNActivity

FNActivity
  • Topic Starter

  •  Avatar image
  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 AM

Posted 23 February 2024 - 03:00 PM

@quietman7

@Porthos

@1PW

 

Thank you , your answers made me understand the issue


Edited by FNActivity, 23 February 2024 - 03:00 PM.

Model of your computer 

Dell Precision M6700
 

Windows specifications 

Edition Windows 10 Pro

Version 22H2
Installed on ‎2020-‎11-‎16

OS build 19045.3996

Experience Windows Feature Experience Pack 1000.19053.1000.0

 

#8 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:09 AM

Posted 23 February 2024 - 04:55 PM

You're welcome on behalf of the Bleeping Computer community.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users