Use Email to scan files on Virustotal
Virustotal, an online virus scanning service operated by Google, is a handy resource to verify that files are clean before you execute them on your devices.
All it takes is to visit the Virustotal website, drop a file on the interface from the local system, and wait for the scan results to be displayed after the scan.
The service is ideal to get a quick overview of a file's reputation. Results are not 100% trustworthy especially if some engines report hits while others don't; the likelihood of false positives is higher on Virustotal than with any one antivirus engine that you check files against.
Virustotal maintains an email scanning service next to the Web version and the APIs that it provides. You send emails with a file attachment to the service and get a report soon thereafter as a reply.
Here is how that works:
- Create a new email and use [email protected] as the recipient.
- Put Scan in the subject field and leave the body empty.
- Attach a single file to the email.
The email is returned by the recipient's email address ([email protected]) and uses the subject [VirusTotal] Server notification.
It lists file information -- name, size, md5 and sha1 hashes -- and results of all supported engines. Each engine is listed with its name, version, and last update date.
Email scanning is quite handy at times, e.g. when you are on a mobile and want a file scanned, cannot access the VirusTotal website, or want multiple files scanned in a short period of time.
Third-party applications like Winja VirusTotal Uploader or
The system has several limitations, however:
- Email attachments have a size limited that depends on the email provider but it is usually 25 Megabytes.
- Some providers, e.g. Gmail, prevent the sending of executable files types. Gmail blocks these even when you zip them.
- Results are limited when compared to the wealth of tools that Virustotal provides, e.g. relations, online calls, and operational details.
Closing Words
It is better, usually, to use Virustotal directly or through a program as you don't run into any of the limitations that way. Sometimes however, email scanning may come in handy.
Now You: Do you use a service like Virustotal?
Virus total email scanning no longer available, please recommend another
All due respect, uploading stuff on VirusTotal is a VERY, VERY poor OPSEC practice.
Anybody that has access to a specific type of licence can download your sample and people will upload invoices, contracts, sensitive stuff that will expose a LOT of data about your company.
So DON’T upload stuff on VT. Instead hash it and check it.
That’s a very interesting remark. I suppose you mean : anybody that has access to a special Virus Total license, a Virus Total paying customer ?
Practical question : how can you hash a file and submit the hash to Virus Total ? On my computer, that’s what happens when I upload something to Virus Total. The program sends a hash, and then, if someone else has not already submitted this file (and that only happens once in a while), it asks me whether I want to upload the file itself.
Now isn’t your remark very theoretical ?
If I want to check a sensitive document, and invoice, a contract, then chances are nobody has already submitted it, and there’s no hash result on file at Virus Total. So I would actually need to send the file itself.
On the other hand, if it has already been submitted and there’s a hash on file, then most likely it’s a software executable downloaded by the thousands on the Internet, or it’s a public pdf report posted on the United Nations website, or something like that. In other words, nothing confidential.
I always do a Virus Total scan before I install anything. There’s often one false positive by an anti-virus with a ridiculous name (or a non-conventional, heuristic one). It sometimes happens that big programs cannot be submitted because they exceed the size limit.
I have a Virus Total option in my right-click menu. Don’t remember how it got there, but it’s very handy.
The option to rely on previous scans by other users through hash comparison (immediate results, once the file has been uploaded), or to ask for a fresh scan anyway (you need to wait a bit) is very convenient.
“I have a Virus Total option in my right-click menu. Don’t remember how it got there”
Probably the same way Google products like Chrome are installed everywhere : by deception.
Does anyone have an alternative to Virustotal context menu integration? YOu know, how in W10 you can just right-click file and send to get results? Does Winja or anyone else have that??
Searching right now…
As always an easy to read and also an informative article, Martin.
But it leaves me with only one question:
Main Eset internet security software supplies a built-in function which scans incoming email on the presence of all kind of zero-day attacks exploits, hijacks, malware, trojans, virus, etc. etc..
Do you Martin (Or anybody else who knows this) or its necessary with even a relatively good security virus program (Like I think I have) who also scans for all kinds of other malicious things (Like mentioned here above) it’s sometimes necessary to scan, with a second program like the online Virustotal possibility?
I like Virustotal as a second-opinion scanner. Say, Eset does not detect anything but you want confirmation that a file is clean before you execute it on your system. A scan on VT could give you the reassurance that it is probably safe to run.
Jotti’s malware scan offers an alternative to Google (Virustotal): https://virusscan.jotti.org/
I know this one also, but the file upload seems quite slow and file size is 20 M max :
http://virscan.org/
@Anonymous: I agree.
… but of course GOOGLE is also harvesting your email address for its permanent records & correlation databases
Google makes it so very easy to hand over your private data – this is yet another example.
;)