VirusTotal Là Gì - Hướng Dẫn Chi Tiết

VirusTotal là gì? Online Malware Scanner Chi Tiết

VirusTotal là free online service phân tích suspicious files và URLs để detect malware bằng cách scan với 70+ antivirus engines và threat intelligence sources. Đây là essential tool cho security professionals để verify potential threats.

VirusTotal được thành lập năm 2004 và acquired bởi Google vào 2012, hiện là part of Chronicle (Google’s security subsidiary). Nó cung cấp both web interface và API cho automated scanning.

Tại Sao VirusTotal Quan Trọng?

1. Multiple Antivirus Engines

Một file được scan bởi 70+ engines đồng thời. Nếu 1 engine miss, 69 others có thể detect. Điều này gives much higher detection rate so với using just one antivirus.

2. Threat Intelligence

VirusTotal collects threat data từ millions of submissions, cung cấp visibility vào emerging threats và widespread malware campaigns.

3. Community Context

Users có thể comment và provide additional context về files/URLs. Helpful để distinguish false positives từ real threats.

4. Free API Access

Free tier cho phép 500 requests/day, sufficient cho most personal và small business use cases. Premium tiers available for higher volume.

Sử Dụng VirusTotal Web Interface

Scan Files

Visit https://www.virustotal.com
Drag và drop file hoặc click để upload
Wait for scan results (usually seconds)
Review detection ratio và detailed results

Scan URLs

Submit URL through web interface
Check reputation và scan results
VirusTotal check URL against blocklists và scan engines

Search by Hash

# Already have a file hash? Search directly
# MD5, SHA1, or SHA256 all supported
https://www.virustotal.com/gui/file/{hash}
https://www.virustotal.com/gui/domain/{domain}
https://www.virustotal.com/gui/ip-address/{ip}

VirusTotal API

Get API Key

Sign up at https://www.virustotal.com
Go to Settings → API Key
Copy your API key

Python Integration

import requests

VT_API_KEY = "your_api_key_here"
VT_URL = "https://www.virustotal.com/api/v3"

headers = {
    "x-apikey": VT_API_KEY
}

# Scan a file
def scan_file(file_path):
    with open(file_path, "rb") as f:
        files = {"file": (file_path, f)}
        response = requests.post(
            f"{VT_URL}/files",
            headers=headers,
            files=files
        )
    return response.json()

# Get file report
def get_file_report(file_hash):
    response = requests.get(
        f"{VT_URL}/files/{file_hash}",
        headers=headers
    )
    return response.json()

# Scan URL
def scan_url(url):
    response = requests.post(
        f"{VT_URL}/urls",
        headers=headers,
        data={"url": url}
    )
    return response.json()

# Get URL report
def get_url_report(url_id):
    response = requests.get(
        f"{VT_URL}/urls/{url_id}",
        headers=headers
    )
    return response.json()

CLI Tool (vt-cli)

# Install vt-cli
pip install vt-cli

# Authenticate
vt api {your_api_key}

# Scan a file
vt scan file /path/to/file

# Get file report
vt file {file_hash}

# Scan URL
vt url https://example.com

# Get domain report
vt domain example.com

# Get IP report
vt ip 8.8.8.8

VirusTotal Analysis Output

Detection Results

Result	Meaning
0/71	Clean – no detections
1-5/71	Suspicious – may be false positive
6-20/71	Likely malicious – investigate
21+/71	Highly malicious – treat as threat

Sample Detection Output

Detection ratio: 62/71

Engines detecting:
- Kaspersky: Trojan.GenericKD.47678496
- McAfee: Artemis!A3B2C4D5E6F7
- Microsoft: Trojan:Win32/Sabsik.E!cl
- Symantec: ML.NET:5.0[mod]
... (58 more)

File details:
- SHA256: a3b2c4d5e6f7... (first 20 chars)
- File type: PE32 executable (GUI) Intel 80386
- File size: 1.2 MB
- Creation time: 2024-01-15 10:30:00 UTC

Detection Names Explained

Prefix	Meaning
Trojan	Malicious payload
Backdoor	Remote access trojan
Spyware	Data stealing
Adware	Ad-supported malware
PUP	Potentially Unwanted Program
Heuristic	Detected by behavior analysis

VirusTotal Intelligence

File Behavior Analysis

Behavioral sandbox execution
Network connections made
Files created/modified
Registry modifications (Windows)
Mutexes created

Crowdsourced Info

Votes (-harmful/+harmful)
Comments from community
Threat names from other vendors
File prevalence chart

Retrohunt

VirusTotal Intelligence subscribers có thể search entire file dataset bằng YARA rules, find similar files, và trace malware families.

VirusTotal Cho Website Security

URL Scanning

# Check URL reputation
curl -X GET "https://www.virustotal.com/api/v3/urls" \
  -H "x-apikey: YOUR_API_KEY" \
  -d "url=https://suspicious-site.com"

# URL analysis output
{
  "data": {
    "attributes": {
      "last_analysis_results": {
        "Dr.Web": {"category": "malicious", "result": "Trojan.Sphinx"},
        "GoogleSafebrowsing": {"category": "malicious", "result": "SOCIAL_ENGINEERING"}
      },
      "last_analysis_stats": {
        "malicious": 15,
        "suspicious": 3,
        "undetected": 53
      }
    }
  }
}

Domain Reputation Check

# Get domain report
curl -X GET "https://www.virustotal.com/api/v3/domains/{domain}" \
  -H "x-apikey: YOUR_API_KEY"

# Includes:
# - Whois info
# - Passive DNS records
# -被抓 records
# - Threat categories
# - Reputation score

Integration Examples

CI/CD Pipeline Integration

#!/bin/bash
# scan-artifact.sh

ARTIFACT="$1"
VT_API_KEY="$2"

# Calculate hash
FILE_HASH=$(sha256sum "$ARTIFACT" | cut -d' ' -f1)

# Check if already scanned
REPORT=$(curl -s -X GET \
  "https://www.virustotal.com/api/v3/files/$FILE_HASH" \
  -H "x-apikey: $VT_API_KEY")

MALICIOUS_COUNT=$(echo "$REPORT" | jq '.data.attributes.last_analysis_stats.malicious')

if [ "$MALICIOUS_COUNT" -gt 0 ]; then
    echo "ALERT: Artifact flagged by $MALICIOUS_COUNT engines"
    exit 1
else
    echo "Artifact is clean"
fi

Email Attachment Scanning

# Scan attachments before processing
import vt

client = vt.Client(os.environ['VT_API_KEY'])

with open("attachment.pdf", "rb") as f:
    analysis = client.scan_file(f)
    # Wait for analysis (async in production)
    result = client.get_object(f"/analyses/{analysis.id}")

malicious_count = result.stats["malicious"]
if malicious_count > 0:
    quarantine_attachment()
    alert_security_team()

YARA Rules Integration

# Create YARA rule for your malware family
rule Ransomware_A {
    strings:
        $magic = { 4D 5A }
        $ransom_note = "YOUR_FILES_ARE_ENCRYPTED" ascii
        $encrypt_func = "CryptEncrypt" ascii
    condition:
        $magic at 0 and 2 of ($ransom_note, $encrypt_func)
}

# Search for matches in VT Intelligence
# Requires premium subscription
# Upload YARA rule, get matches across dataset

VirusTotal Limitations

Limitation	Description
File Size	650MB max upload
Rate Limits	Free: 500/day, 4/minute
Delay	Results may not include newest threats
False Negatives	Some malware may slip through
Privacy	Files submitted are shared with vendors

Best Practices

Use as second opinion – Not sole detection method
Check community feedback – Comments can clarify false positives
Pre-check before uploading – Submit hash first to save quota
Correlate with other sources – Hybrid analysis approach
Monitor your files – VT Graph shows relationships

VirusTotal Alternatives

Service	Strengths
Hybrid Analysis	Deep behavior analysis, sandbox
ANY.RUN	Interactive malware analysis
Joe Sandbox	Comprehensive analysis, YARA hunting
URLhaus (Maldatabase)	URL scanning, malware sharing

Kết Luận

VirusTotal là essential tool trong security toolkit. Nó provides quick, comprehensive malware scanning across 70+ engines, making it invaluable for initial threat assessment. Combine with local scanners (ClamAV, rkhunter) để build comprehensive detection capability.

Key takeaway: Use VirusTotal as part of multi-source verification strategy. Low detections may still mean malicious (new malware), và high detections may be false positives (legitimate software flagged incorrectly).