How to Analyse VirusTotal Results

A VirusTotal Scan Guide

➢ When conducting a VirusTotal (VT) scan, follow these steps to analyze the results:

1. Check Scan Date

• Ensure that the scan date is recent. If not, rerun the scan to detect new threats and remove old false positives.

2. Details Tab

• Creation Time, First Seen In The Wild, and First Submission:

• Creation Time may be unreliable if obviously fake (e.g., set in the future).

• Compare First Seen In The Wild and First Submission dates with the product release date to identify recycled malware.

3. Submitted Names

• Ignore names resembling hashes or generic terms like 'sample1.exe'.

• Multiple names for unrelated products suggest potential malware.

4. Pirated Software

• For pirated software, signatures won't be helpful as cracks or patched files won't be valid, but typically if there was an invalid signature it would be suspicious.

5. Relations Tab

• Execution Parents/Resource Parents:

• Focus on installers or archives that contained, dropped, or downloaded the file. Ignore if scanning an installer that wasn't extracted from another file.

• Dropped Files/Bundled Files:

• Examine files extracted from the scanned file, particularly useful when scanning archive files.

6. Contacted IP Addresses/URLs

• Beware of overwhelming malicious results, but also consider false positives. (e.g. drive.google.com is currently flagged as a phishing site by one of the AVs)

• Suspicion arises if a file meant to be benign (e.g., a keygen or patcher) makes unexpected requests.

7. Behavior Tab

• Opening and reading files, writing/deleting temp files, and expected installer activities are generally benign.

• Suspicion arises if the file exhibits unusual behavior or accesses unnecessary areas.

8. Detections Tab

• Generic/gen/susgen detections (like W32.Trojan.Gen) or AI/ML labels may indicate potential malware that doesn't match known signatures.

• Common detections for cracks, patches, etc., include riskware, hacktool, and not-a-virus (last on is specific to Kaspersky).

9. Highlighted Actions Review:

• Although rare, alarming statements like 'all your files are belong to us', take immediate action.
  
  

10. File Age

• New files may lack accurate detections, while older files should have more reliable results.

• A file's age can provide context; newer files warrant closer scrutiny.
  
  

11. Multiple Similar Detections:

• If numerous specific detections align, it indicates higher risk.
  
  

12. Community Tab Consideration:

• While often cluttered, occasionally valuable insights or warnings are found.

Note:
This guide is here to help you make informed decisions, but the final call on file safety is yours. Use your best judgment and be cautious. If you're unsure, refrain from using the file or seek help from a security expert.