VirusTotal Graph visualizes scans and shows IP connections

Martin Brinkmann
Jan 9, 2018
Security
|
22

VirusTotal Graph is a new feature of the popular virus scanning service that visualizes the relationship between files, URLs, domains and IP addresses of analyzed data sets.

Virustotal is a handy service as it lets anyone upload files to scan them using more than 60 different antivirus engines. The service is not without criticism though; software developers have criticized it in the past for including engines that are prone to false positives.

VirusTotal Graph

virustotal graph open

VirusTotal Graph is available to all VirusTotal community members. You need to sign in with an account to access Graph but that is the only requirement.

You can open VirusTotal Graph from any scan results page by clicking on the menu icon and selecting the "Open in VirusTotal Graph" button.

The interface that opens is divided into two main panes. The main pane displays the graph, the sidebar information about the selected node.

virustotal graph

The screenshot above visualizes a simple graph of the program NoBot which I reviewed previously here on the site.

It shows the exefile as the root note and a network location that was found during the scan. The file itself was not flagged by any antivirus engine but the URL in question was. Virustotal does not reveal the fact on its main website when you scan the file, but it does reveal it in Graph.

Graphs can be complex depending on the file that you upload. VirusTotal published a screenshot of a graph with more than a hundred nodes on the official blog.

complex graph

Graph visualizes the analysis process on VirusTotal. It provides you with information that the main scan results don't reveal. This includes among other things contacted IP addresses or URLs found in files during the scan.

You can follow nodes to highlight connections and get information about each node you click on right away.

File nodes reveal the type, size and the date the sample was submitted for the first time for instance. Graph displays detection information, and it is possible to edit the graph. You can add new nodes (file, URL, domain or IP addresses) to the graph. This can be useful if a file archive contains multiple files that you wanted to scan individually.

Graphs can be saved so that you can go back to a saved graph at a later point in time. Saving happens online on the VirusTotal servers and not offline. You get a graph ID when you save a  graph which you need to access through a link provided to you.

Closing Words

VirusTotal Graph is a useful tool that visualizes the analysis and by doing so, may reveal additional information about a file. The fact that the tool reveals contacted IP addresses and found URLs alone is well worth the hassle of creating an account on the site in my opinion. (via Bleeping Computer)

Summary
VirusTotal Graph visualizes scans and shows IP connections
Article Name
VirusTotal Graph visualizes scans and shows IP connections
Description
VirusTotal Graph is a new feature of the popular virus scanning service that visualizes the relationship between files, URLs, domains and IP addresses of analyzed data sets.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Tony said on January 10, 2018 at 1:55 am
    Reply

    VirusTotal can be misleading because unless you force a rescan, the scans were performed with old definitions.

  2. Croatoan said on January 9, 2018 at 11:37 pm
    Reply

    Is ghacks.net supported on Opera (on Android). I get only old articles (before new theme). Ads aren’t blocked, removed cookies and settings. And still no new articles.

    1. Martin Brinkmann said on January 10, 2018 at 7:15 am
      Reply

      Yes it is supported. Try Ctrl-F5 to refresh the page. Does that help?

      1. Croatoan said on January 10, 2018 at 1:25 pm
        Reply

        How to do ctrl+f5 on mobile phone?

      2. Martin Brinkmann said on January 10, 2018 at 1:43 pm
        Reply

        Sorry did not know that you were on the phone. Which browser do you use?

      3. Croatoan said on January 10, 2018 at 2:52 pm
        Reply

        https://play.google.com/store/apps/details?id=com.opera.browser&hl=en

        Opera

        With Desktop view I see all articles, without Desktop view I see only old articles.

      4. Martin Brinkmann said on January 10, 2018 at 4:49 pm
        Reply

        Should be fixed now, can you confirm?

      5. Croatoan said on January 10, 2018 at 9:23 pm
        Reply

        Yes. It works. Thanks.

      6. Martin Brinkmann said on January 10, 2018 at 2:58 pm
        Reply

        Thank you for reporting this. It seems to be a bug that I will address asap.

      7. Martin Brinkmann said on January 10, 2018 at 2:53 pm
        Reply

        I will download and check this out and try to find a solution.

  3. porridge said on January 9, 2018 at 7:19 pm
    Reply

    VirusTotal is indeed a useful thing. Too bad it’s Google again…

  4. jasray said on January 9, 2018 at 6:38 pm
    Reply

    More to the Community Score story, “the more” being readily available by using Ghostery and uBlock Origin. One will find the trackers blocked on gHacks using Ghostery, and if one configures uBlock Origin correctly, the site is broken and won’t display correctly. At first, I thought it was a “bug” with Nightly, but a quick check and update of Chrome and the aforementioned tools, the same result occurs.

    One may say, “How does one configure uBlock Origin corrrectly” so that the site is broken? That is a good question since no other site I visit is “broken” other than those having adware/malware elements blocked by uBlock. Sites such as CNN, Aljazeera, How-to-Geek, etc. all work fine.

    So . . . scope and sequence.

    1. Tom Hawack said on January 9, 2018 at 7:10 pm
      Reply

      I don’t experience what you relate, jasray. uBlock Origin here is configured to “block all, accept occasionally” (so to say) and I’ve never had the slightest problem. The result in one site accepted (ghacks.net) whilst three are blocked (criteo.net, googlesyndication.com, googletagservices.com).

      Reading you would give the feeling ghacks is I don’t know what sort of empire of ads & trackers which it is not. My analyze is that ghacks includes the strict minimum regarding ads to allow it to pay its bills and that this basic revenue isn’t enough and yet isn’t provided by extras which would relax the financial situation but impact the site’s users. Anyone can check this by himself. Do visit some sites which have 10, 15, 20 or more calls to 3rd-parties and you’ll see what a total lack of respect for the users can possibly be. This is definitely *not* the case here.

    2. Martin Brinkmann said on January 9, 2018 at 6:49 pm
      Reply

      How have you configured uBlock Origin? I think it is a bit harsh to assume that adware or malware is the reason without providing evidence of that.

      1. jasray said on January 9, 2018 at 9:17 pm
        Reply

        No emotion like “harsh.” It’s simply looking at results from tools that are recommended by gHacks.

        Nice, new headline in the news: “Criteo predicts 20+ per cent losses after Apple updates its anti-tracking tech.” Criteo, of course, is one of the Ghostery blocks.

        uBlock Origin is set with all options out-of-the-box vanilla usage.

        The reply was only in relation to why Virus Total may give a low Community Rating. More information needed for readers–great site, though.

        Oh, read the uBlock log for the information you need; it’s much too long and convoluted for audience reading.

      2. Martin Brinkmann said on January 9, 2018 at 9:33 pm
        Reply

        I tested the site with vanilla uBlock and it works fine. I cannot fix the issue without proper information.

  5. Croatoan said on January 9, 2018 at 5:38 pm
    Reply

    Why is Community score for ghacks.net -29 on VirusTotal?

    1. Tom Hawack said on January 9, 2018 at 6:00 pm
      Reply

      This is not in favor of VirusTotal’s reliability. Moreover when anonymous votes are taken into consideration. I wasn’t aware of this Community voting (I visit VirusTotal always quickly to check an application and exit as quickly as I entered).

      1. Croatoan said on January 9, 2018 at 11:38 pm
        Reply

        Google “safety” at work.

    2. Martin Brinkmann said on January 9, 2018 at 5:43 pm
      Reply

      One anonymous user and another user gave an unsafe vote. The anonymous user’s vote had a weight of -28. Just seven seconds between both votes and those have been the only ones.

      1. KeZa said on January 11, 2018 at 5:09 pm
        Reply

        So we ALL here give it a good rating than… but I tried and cannot vote for some reason. But I use Winja for uploading files trough VT. Verry neat program…

        Kz form Belgium

  6. Tom Hawack said on January 9, 2018 at 5:03 pm
    Reply

    Interesting. What does an application perform, where does it link to once it’r run? VirusTotal Graph answers that. As I read this article I also believe it is worth registering a VirusTotal account to access this new feature.

    As far as I know VirusTotal accepts all file formats. If this is true I’ll consider submitting to VirusTotal Graph Firefox extensions because as we know uBlock Origin as a Webextension no longer has the ability to filter extension calls to 3rd-party websites (one has to rely on system-wide filters), and that bothers me (an example of this is the extension called Screengrab! which has been spotted as sending domains of all newly visited sites to discount.s3blog.org.- even if advertisement option is disabled !!!, I checked this myself).

    Nice find, Martin.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.