Lumifi has been working with leaders in malware detection and threat intelligence for years. As we launch our cloud-native Managed Detection and Response offering with Google Chronicle, we are also integrating with VirusTotal.
Read our comprehensive guide to VirusTotal and its free and enterprise features.
What is VirusTotal?
Google’s VirusTotal is a web-based scanner that utilizes over 70 antivirus scanners and URL/blacklisting services, among other tools, to extract signals from uploaded content. VirusTotal accepts files, URLs, and is searchable.
Submissions can be made via public web interface, desktop uploader, browser extension or programmatic API.
Upon submitting content to VirusTotal, basic results are shown to the submitter and shared with examining partners who use the results in their own systems. Submissions contribute directly to the VirusTotal security community.
VirusTotal was created by Spanish security company Hispasec Sistemas, launched in 2004. It was acquired by Google in 2012 and was moved under Chronicle in 2018.
Results & Real-Time Updates
VirusTotal tells users whether they have submitted a malicious file and will also display each engine’s detection label. Some engines will provide additional information such as if a given URL belongs to a certain botnet, which brand is targeted by a phishing site, etc.
VirusTotal uses the latest signature sets to detect malware. As soon as a contributor blacklists a URL it is immediately reflected in user-facing verdicts.
A unique aspect of VirusTotal is its community features. Data is not only ingested from various antivirus engines, scanners, file inspection tools, URL analyzers but the VirusTotal community.
Their platform allows the antivirus industry, security professionals, malware researchers, and more to collaborate. The system works on a vote and reputation score to help provide the most reliable and helpful answers.
Joining the community gives members a VirusTotal public API so they can write scripts to automate scans and lookups.
Users will be able to rate and place comments on files and websites. Comments range from disinfection instructions to reverse engineering reports.
While VirusTotal is an independent product from Google, it aggregates information from many industry services like antivirus products, domain scanning engines, behavioral analysis solutions, and file characterization tools.
VirusTotal is independent of any one agency or product. It makes clear that they are not tied to any companies or individuals in any way to provide unbiased results. They also do not claim responsibility for false positives by any of the resources.
You can find a complete list of contributing products here.
Chronicle now offers enterprise features with VirusTotal. While the licensing can get quite expensive, the features greatly aid in threat hunting and forensic investigations.
VT Intelligence boasts huge scale search engine capabilities, having been built on Google’s infrastructure, with in-depth profile characterization of malware. Users are able to search VirusTotal’s 2.4 billion file dataset in record speed.
VT Hunting uses YARA and the VirusTotal database to track the evolution of certain threat actors, malware families, and automatically generate IoCs.
Users can get notified whenever a YARA rule matches and receive in-depth information on matches, including pertinent files for offline study.
Visualize VirusTotal’s massive database with VT Graph. Analysts can see connections between files, URLs, domains, IP addresses and other items for investigations.
The tool creates icons to easily visualize file types, countries, and other visual cues to detect patterns and aid in investigations.
VT monitor allows users to scan files periodically against the latest antivirus signature sets. They are able to receive alerts when one of their tracked files changes.
VirusTotal Premium API
The VT API allows users to automate certain reports and tasks by generating API access to VirusTotal. The premium API has the following advantages over the public API:
- Pick a request rate and daily quota
- Reports extra data like VBA code stream warnings, source metadata, ExifTool output, IDS output for recorded network traces, etc.
- Includes metadata exclusive to VirusTotal such as first submission date of a given file, list of file names associated to a submission, submission countries, prevalence, etc.
- Gives access to behavior details around files produced by executing Windows Pes, DMGs, Mach-Os, and APKs in a virtualized sandbox environment
- Exposes whitelisting and trusted source information
- Allows users to perform complex search sample queries
- Exposes file clustering and similar search calls
- Enables the download of submitted samples for further research, along with network traffic captures they generate upon execution and detailed execution reports
- Strict License Agreement (SLA) that guarantees availability and readiness of data
Google Chronicle + Lumifi
Lumifi has been providing best-in-class managed detection and response services for over a decade. Our newest cloud-native solution with Chronicle is a continuation of our dedication to providing white glove consultative services with world-class results.
We have assisted our clients in using cloud-native solutions for a hybrid or complete cloud architecture. Choosing an MSSP with a consultative approach will ensure your organization picks the solution that best fits your business operations and future goals.
Partnering with Google gives our talented team of security engineers and analysts access to unparalleled threat intelligence and forensic abilities within our clients’ networks. Queries are speedy and increase efficiency. Chronicle and Lumifi are also aligned with the MITRE ATT&CK framework.
If your organization is considering Google Chronicle, contact us for a no-cost consultation to see if Lumifi is right for you.
We have experience migrating, building from scratch and hybridizing cloud security as well as serving as a complete outsourced SOC or co-managed environment.