Why it is better to recheck files on Virustotal

Martin Brinkmann
Jan 23, 2013
Security
|
9

Virustotal is one of the best security related services that you can access online. You can use it to check files that you upload to the service against the databases of more than 40 different antivirus engines. I use it to verify apps and programs that I review here on Ghacks to make sure that they are clean.

The service has a couple of limitations that need to be mentioned. For one, it is only possible to upload files that do not exceed 32 Megabyte in size. You sometimes may want to scan a larger file and can't do so on Virustotal unless it is possible to extract the file - if it is an archive for instance - to check the files individually provided that they drop below the 32 Megabyte mark.

The second limitation is that you can only check one file at a time. While that is usually the case, you may want to consider adding multiple files to an archive to check them at once. This may lead to issues if malicious code is found in the archive as you do not really know the culprit right away and need to perform additional scans in this case to find out.

When you check files on Virustotal that have already been scanned previously, you get the option to look at the results of the previous scan. Virustotal computes the hash of the file, compares it with the hashes in the databases and when it finds an identical listing, it offers to display previous results to you.

virustotal file already analysed

A click on view last analysis displays the scan results of the previous result. Virustotal displays the data and time of the last scan as well as the detected hits.

You may want to consider clicking on the reanalyse button whenever you want to scan files on Virustotal that have been scanned previously. The reason is simple: the engines used by Virustotal are updated regularly so that a new scan of a file may have different results than the previous scan. While it is usually not necessary if the last scan was run 30 minutes ago, it is recommended to do so if it dates back days.

A new scan may also be helpful if you get results where some engines detected malware while the majority of engines did not. Updates to engines may resolve false positive issues for instance so that you may end up with a better result in the end.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Marc said on January 24, 2013 at 11:10 pm
    Reply

    If I may there’s another reason that albeit unlikely can happen, especially considering the huge amount of samples that are analysed: md5 collisions. It can happen that the file you uploaded shares a checksum with another different and clean or infected file, either way giving you results that may differ with an anlysis of the sample you uploaded. I’m going perhaps a bit deeper into what Claude LaFrenière thoughts.

    If you suspect a file may be infected, and as such upload it to virustotal, would you take the extra time to wait for it to re-analyse or just trust in the probabilities? (cosidering the last displayed scan results are recent)

    btw for some reason and some time I’m unable to “reply” in the comments, have had to rely on @, but I prefer nested comments.

  2. Gonzo said on January 23, 2013 at 8:45 pm
    Reply

    I also reanalyze if it’s old but have never found that the the results change significantly.

    I don’t think updates are exaggerated but I do think heuristics are. The recent debate between AV-Test and MSSE has shed some light on this. I personally side with MS and believe it’s scareware.

    Full disclosure – I don’t run AV or any third party “security” software and instead rely on good old fashioned rights management (Standard User and Global Polices). I use VirusTotal on files that I’m unsure of.

  3. Claude LaFrenière said on January 23, 2013 at 8:36 pm
    Reply

    Hi :)

    For sure it’s always better to double check but in this case the file to be checked have is own and unique checksum. If the checksum of the file already checked is the same than the file I would check, is it really mandatory?

    Can we rely on checksum or not? May be…

    Have a nice day! :)

  4. Crodol said on January 23, 2013 at 8:17 pm
    Reply

    I do the same (reanalyse if the prior analysis is “old”) but I have never had the case that it found an infection which it didn’t find in the past.

    Maybe the virus companies are a little bit exaggerating the importance of the constant updated?!

  5. Rick said on January 23, 2013 at 7:26 pm
    Reply

    You should also remember that some of the larger software companies pay the AV companies to include certain files in their infected or suspicious results. VirusTotal will report these files as infected by extension.

    These files generally tend to be keygens and cracks / cracked exe’s. Of course, none of the readers here would have experienced this themselves :)

  6. Jeanbelga said on January 23, 2013 at 5:17 pm
    Reply

    BTW, “VirusTotal uploader” still has the old limit for the file (21Mb).

  7. ecomm said on January 23, 2013 at 4:19 pm
    Reply

    Now that you mention this. The Windows Medkit that you advised gives 3 warnings on Virustotal. What’s your opinion about it?

    1. Martin Brinkmann said on January 23, 2013 at 4:25 pm
      Reply

      When a file gets a couple of hits it usually means false positives. I look at the engines that have detected the hits and check what they have detected. In this case is is a “suspicious file” indicating that the engine is not sure about whether it is malicious or not, and a generic hit by Trend Micro which also usually means false positive.

  8. BobbyPhoenix said on January 23, 2013 at 4:03 pm
    Reply

    I’ve been using this for years. Very good piece of mind especially when you want to visit links from anywhere from emails to forums. With so many new scams out there this is a good thing to do. There are also extensions for Firefox and Chrome that allows you to right click and scan a link before accessing it.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.