I am not asking if VirusTotal is trusted as a service or who it is controlled by. Simply put Do you trust VirusTotal scan results? Do you think it is a reliable source, when scanning malicious files?
Yes I do. When I'm in doubt (different results - possibility of FPs) I check results only from AVs that, by my experience, have very little FPs. I also check when the file was last scanned and if it was long time ago I upload it to be scanned again.
At the moment it´s the only scanning service that I´m using. I would rather trust VT than a standalone scanner.
Spoiler Unless it's the result from ClamAV or AVG, if I was using VT I will accept the flagged/detected results. As for determining if a file is presumably safe, I have other countermeasures.
Virustotal does not provide absolute protection but increases your chances of detecting a malware. Download some fresh malware and see by yourself. The "orbit downloader" event is a good reason why you cannot rely only on blacklist solutions like antivirus/virustotal to determine if a file is malicious or not.
I use VirusTotal and Jotti for submitting new samples, cause they both supposedly share the samples with all the partnered AVs. Or if I'm just curious to get a gist of what picks up what (yes, knowing that the results aren't meant to be a 100% of real world results of various AVs). When the submitted file is all clear, 0/57 or whatever, then you're just stuck with looking at the other information like comments, votes or behavioral information. Easy way to check file hashes too. But https://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/ Always remember that just because nothing picks anything up doesn't mean the file is clean- it could just mean you have a fresh wild sample (which I've witnessed first hand). The people pumping out the malicious stuff also use their own versions of VirusTotal-like scanning sites (which do not share the files to AVs) to make sure nothing picks them up before putting them out in the wild. Then once their stuff starts getting picked up, they just re-crypt it. So no, I don't trust the scan results, but it's useful to upload things to start getting a gist of what you have. When in doubt find a AV which allows people to send in files and hope they'll at least listen to your concerns. I've found some to actually be kind of snotty and treat you like you're submitting them an obviously safe install_flashplayer.exe or something.
Yeah I trust it (I use VT Hash Check specifically). I don't so much trust the results of a few of the scanners. They have a ton of FP's. If something is detected only by those 2-3 usual suspects (they're very obscure AV's), and not by any of the well known & reputable vendors, then I know I can just write it off as a FP.
Yes correct, but I still doubt that a standalone scanner would be able to spot the malware, if none of the scanners on VT spot anything. I mean how good is heuristics nowadays? That´s why I rely on HIPS and sandboxing.
1. The AV engines are commandline versions and are not the same as the desktop counterparts. 2. A green checkmark does not equate to "goodware" or "clean". It just means 'maliciousness" was not detected. 3. Binary obfuscation increasingly being used in malware. Virustotal is nothing more than a secondary opinion scanner with its own limitations. Better than nothing I suppose but not the ultimate detection tool some may have mistaken it for... https://www.virustotal.com/en/faq/
I voted yes, but with a caveat: It is a reliable source to check if something might be suspicious and thus should be subjected to strict analysis and avoided until such analysis is provided by a trusted source. All VT does is to run a specific sample against the current signatures in a finite list of popular AV/AM solutions. While this is useful information, it does not rise to the level of a definitive determination.
@ safeguy and Coldmoon So do you both recommend a standalone AV in combination with VT? I must admit, I have been relying on VT for the last 6 years, I got fed up with bloated AV products.
No, because in many years of looking at exploits, too often VT reported 0/35 for recently discovered malware. I recall the Conficker worm from 2009: http://channelnomics.com/2012/10/17/10-month-days-renew-focus-heuristics/ I remember a booby-trapped .RTF file I obtained to test. It was a targeted exploit, and VT had no detection. Yet, it was malicious, using Microsoft Packager.exe (installed on all computers) to extract an embedded .SCR file which did the dirty work: Emails with attachments targeted to organizations are very clever, and employees can be understandingly fooled. But suppose an employee is suspicious, and uses the organization's AV to check, and it passes, and also uses VT, and it passes, then the malware succeeds (or not) depending on the other security in place at the organization. ---- rich
Personally, I'm not a fan of real-time desktop AV myself...they are not really my cup of tea. I do use VT too but I just want to point out the limitations. That being said, desktop AV have their own advantages (compared to a commandline scanner limited to heuristics and signatures). Whether or not someone wants to use one is up to the person himself. I'm not a malware analysis expert so I won't do recommendations. That would be irresponsible of me.
@ safeguy Yes, a real-time AV is out of the question for me, but I even ditched on demand scanners (like Avira) because they were not worth it, they became way too heavy and bloated. But what I meant is that if you scan some app for malware, would you trust on VT alone, or always scan it with some standalone AV?
Lastline Labs malware researchers studied hundreds of thousands of pieces of malware they detected for 365 days from May 2013 to May 2014, testing new malware against the 47 vendors featured in VirusTotal to determine which caught the malware samples, and how quickly. The focus of this test is to determine how fast the anti-virus scanners catch up with new malware. Even after 2 months, one third of the AV scanners failed to detect many of the malware samples. Some other interesting findings of this Lastline Labs research: • On Day 0, only 51% of AV scanners detected new malware samples • When none of the AV scanners detected a malware sample on the first day, it took an average of two days for at least one AV scanner to detect it • After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for AV vendors • Over the course of 365 days, no single AV scanner had a perfect day - a day in which it caught every new malware sample • After a year, there are samples that 10% of the scanners still do not detect This analysis does not single out any AV vendor, and provides only insights based on VirusTotal data (with the caveats expressed at the beginning). http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up I have used virustotal as a secondary scanner many times, but would have to say no to trusting it's results.
All these test data are fine and all, but let's not forget real-world effectiveness here. That's my basis for my previous statement.