How To Read Virustotal Results

Dolyetyus

Co Admin
21 Nis 2020
1,204
664
Delft


virustotal.png


Welcome Turkhackteam Members, I wanted to write a tutorial about reading and understanding virustotal (virustotal.com) results.

It can be complicated to understand what we see in the reports section. Just take a look at that following image:

filereport_1.jpg


Isn't it complicated or annoying? Or even worse, both? Perhaps. Now let's start to examine these parts one by one.

File reports Summary

1st and 3rd The total number of VirusTotal partners who consider this file harmful (in this case, 44) out of the total number of partners who reviewed the file (in this case, 60).

2nd is the reputation of the given URL as determined by VirusTotal's Community (registered users). Users sometimes vote on files and URLs submitted to VirusTotal, these users in turn have a reputation themselves, the community score condenses the votes performed on a given item weighted by the reputation of the users that casted these votes. Negative (red) scores indicate maliciousness, whereas positive (green) scores reflect harmlessness. The higher the absolute number, the more that you may trust a given score. You can read more about this at: https://support.virustotal.com/hc/en-us/sections/115000737185-Community

4) SHA-256 (a cryptographic hash function) is a unique way to identify a file and used in the security industry to unambiguously refer to a particular threat. For more info see:

5) File name of last submission, and access to search by file names.

6)
Tags.

7) The date and time (UTC) of the review.

8) Icon for the file type.

9) Button to reanalyse the file.

10) Multi-similarity: find similar files using different approaches.

11) Search for similar files.

12) Download sample.

13) Explore the file in VirusTotal Graph.


File Reports Details


filereport2.jpg


Now let us look atis file report details section. This part is a bit more detailed.

A list of each reviewing partner and their findings. Possible findings are:

Undetected: The given engine does not detect the file as malicious.
Suspicious: The given engine flags the file as suspicious.
Unable to process file type: The given engine does not understand the type of file submitted and so will not produce verdicts for it.
Timeout: The given engine reached VirusTotal's time execution limit when processing the file and so no verdicts were recorded for it.

2) Displays more information about the item being reviewed. For instance, for an Office documént file this might list VBA code streams seen in documént macros and other file type specific information. Similarly, VirusTotal specific métadata such as first submission and last submission dates, upload file names, etc are also recorded in this section.

3) VirusTotal's backend generates rich relationships: URLs from which a file has been downloaded, whether a given file been seen contained in some other files, what are the parents of a given Portable Executable, domain to IP address mappings over time, etc.

4) The samples submitted to VirusTotal get executed automatically in a controlled (sandboxed) environment and the actions performed are recorded in order to give the analyst a high level overview of what the sample is doing.

5) Content of the file: Strings and hexadecimal content extracted from the file. Preview of the full content is available depending of the filetype(pdf, docx, etc)

6) Detailed listing about the submissions of this file with information like origin countries and dates.

7) These are comments made by members of the VirusTotal Community. Most recent comments are listed first. This section also records the votes made by members of the VirusTotal Community on this file or URL.

8) List of Analyses with the detections evolution and the option to click on Previous Analyses.

9)
Copy detections as plain text to the clipboard.

Virustotal_logo_pixelalign.png


Well, I briefly explained the whole reports section. I hope you find this tutorial helpful. Thanks for reading. Have a nice day.
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.