How to use VirusTotal safely — hash-first, upload only when you should
VirusTotal aggregates 70+ antivirus engines and URL reputation feeds into a single report. Here is how to query it correctly, what the result tabs really mean, and when NOT to upload a file.
What VirusTotal is
VirusTotal is a cloud service that takes a file, URL, domain, or IP address and runs it through 70+ antivirus engines and URL reputation feeds, then shows you all the results at once. It was launched in 2004 by the Spanish firm Hispasec Sistemas, acquired by Google in 2012, and is now part of Google Cloud Security.
Key points:
- Free to use via the web
- Shows individual engine verdicts with their detection names (e.g.
Trojan:Win32/...) - Anything you upload — files, metadata, sandbox behaviour — is shared with the security community, researchers, and industry partners
- Not a single verdict engine. It is an aggregation layer over many scanners and past observations
What you can do (free tier)
| Input | What you get |
|---|---|
| Hash (SHA-256 / SHA-1 / MD5) | Prior verdicts, comments, and sandbox behaviour for the same file — without uploading anything |
| File (up to ~650 MB; requirements change) | Immediate scan by dozens of AVs. Counts as a public submission |
| URL | Reputation, category, per-engine verdicts |
| Domain / IP | Reputation history, malicious use history, related hashes |
Important: VirusTotal is not a single oracle. It is an aggregation of 70+ scanners plus a historical observation database. Quality of any single verdict depends on the underlying engines.
Step 1: Query by hash first
Do not treat VirusTotal as "the place to drop files". The correct workflow is to hash first, search first, upload last.
Computing SHA-256
| OS | Command |
|---|---|
| Windows (PowerShell) | Get-FileHash .\suspect.exe -Algorithm SHA256 |
| macOS / Linux | shasum -a 256 ./suspect.exe |
| Linux (alternative) | sha256sum ./suspect.exe |
Paste the 64-character hex string into VirusTotal's top search box (or the "Search" tab).
If the hash is found
- The file has been submitted before. You see prior detection counts, First seen timestamp, community notes.
- Mind the freshness. A scan from a year ago may no longer reflect current engine coverage.
If the hash says "Not found"
- Either a brand-new file or a narrowly-targeted payload.
- By itself this does not mean "safe" or "dangerous".
- You now have to decide whether to upload it.
Step 2: Deciding whether to upload
When the hash isn't found, should you upload? It depends on the content:
| File type | Upload? |
|---|---|
| Widely-distributed public binary | ✅ Essentially fine |
| Your company's internal document or build | ❌ Never |
| PDFs / Office docs that may contain PII or customer data | ❌ Never |
| Personal photos or private files from friends | ⚠️ Usually avoid; depends on content |
Unknown .exe from an email attachment, not internal |
△ Only with the understanding it becomes public-ish |
Why: per VirusTotal's Privacy Policy, uploaded files are "shared with security industry partners and researchers". An upload may leak confidential data that wasn't public before. In a targeted-attack scenario, uploading can also tip off the attacker that the target noticed.
Reading the report
The result page has multiple tabs:
Detection tab
- At the top: N / 70 detected — the count of engines that flagged the file
- Below: per-engine verdicts (
Malicious/Undetected/Type unsupported/Timeout) - Detection names (e.g.
Trojan.GenericKD.12345) are vendor-specific — the same file can have different labels across engines
Rough reading guide:
| Detections | Typical meaning |
|---|---|
| 20+ / 70 | Widely-known malware. Delete |
| 3–10 / 70 | Newer threat or partial AV coverage. Do not run |
| 1–2 / 70 | Could be false positive, could be targeted payload |
| 0 / 70 + First seen now | Not yet scanned — not a safety signal |
| 0 / 70 + First seen years ago + many downloads | Likely a known legitimate file |
Details tab
- File type, size, SHA-256 / SHA-1 / MD5, SSDEEP, code-signing info
- First Submission and Last Analysis Date
- File name history (the
Namesfield) — hints at the disguises used during distribution
Community tab
- Comments and up/down votes from other users
- Tags by researchers (e.g.
apt-group-X,stealer) - Open discussion is itself a signal of trust
Behavior tab (sandbox)
- Sandbox execution log
- Registry writes, file creation, network connections, process spawning
- Evidence of C2 traffic or persistence here is usually decisive
Relations tab
- Distribution URLs where the hash was seen
- IPs / domains it contacted
- Other files it dropped or were bundled with
- The starting point for incident investigation
Limits and pitfalls
1. Zero-days are invisible
Engines depend on past signatures. A sample hours or days old is commonly missed by most engines. "Zero detections, therefore safe" is a bad inference.
2. False positives happen
Benign tools occasionally trip one or two generic-heuristic rules (Generic.Heuristic.xxx). Look at which engines flagged and what detection names they use. Generic-heuristic flags from one vendor are different evidence than a specific named-malware verdict from a leader.
3. Uploads become public knowledge
Once uploaded, the file's hash, metadata, and sandbox behaviour become searchable by VT Intelligence subscribers and partners. Do not upload internal builds, contracts, personal photos, or employee lists.
4. "VT clean ≠ go ahead and install"
As covered in the .exe safety guide, a clean VT result is one input among many:
- Sender / source trustworthiness
- Code signature and publisher
- SmartScreen warning (or absence)
- Mark of the Web status
Layer them. VT is not the whole answer.
5. Hash only matches identical bytes
A single byte change flips the SHA-256. Attackers recompiling the same malware family produce different hashes that your hash search won't match — even though the behaviour may be the same. Behaviour-based hunting (Yara, available in VT Intelligence) catches these.
Alternatives & complements
You don't have to rely on VirusTotal alone.
- Hybrid Analysis (CrowdStrike) — detailed sandbox reports from Falcon Sandbox
- MetaDefender Cloud (OPSWAT) — 30+ engines plus Content Disarm and Reconstruction
- JoeSandbox — deep dynamic analysis; subscription
- ANY.RUN — interactive sandbox where you can drive the execution
A reasonable order for a suspicious binary: VT hash search → Hybrid Analysis or ANY.RUN for behaviour.
FAQ
Q. The file is too large to upload.
A. Free tier accepts up to ~650 MB but large uploads time out frequently. See whether a hash search alone is enough first.
Q. Do I need an account?
A. No — searches work anonymously. An account is only needed to track submissions or post comments.
Q. Can I automate it via API?
A. The free API is capped at 4 requests per minute / 500 per day. Serious use requires paid VT Intelligence or VT Premium.
Q. Is there a fully local alternative?
A. Windows Defender command-line scan (MpCmdRun.exe -Scan -ScanType 3 -File <path>) runs offline. Verdict quality is lower than VT's aggregate, but your file stays local.
Q. Does it check URLs?
A. Yes — the URL tab aggregates URL reputation feeds and per-engine verdicts. Useful for phishing investigation.
Related guides
- Is this .exe safe? — VirusTotal as one of five checks
- How to open a .dat file — general unknown-file triage
- File Signature Checker — verify extension vs real bytes in your browser