How to scan suspicious files, links, and domains with VirusTotal

If you drive downloads, attachments or links on a daily basis, sooner or later you will come across something that arouses suspicion; at that moment, VirusTotal becomes your best ally to make an informed decision and check if a downloaded file is safe before executing anything. His proposal is simple but extremely powerful: cross-reference an element with dozens of security engines and intelligence sources to estimate its reliability.

Even so, it is advisable to be clear about the rules of the game: It is not a real-time antivirus, it does not disinfect and can throw false positives or, on the contrary, not detect malware Designed to evade controls. The goal of this guide is to help you get the most out of VirusTotal—files, URLs, and domains—and to help you read the results so you can make informed decisions.

What is VirusTotal and what can you analyze?

VirusTotal was born as a Spanish project and is now part of Google Cloud; its mission is to enrich security research with context and threat reputation. It works from the browser (any operating system) and also has an app in Android, so you can use it without installing additional software on your computer.

Its main advantage is the multiplicity of analysis enginesIt typically works with more than 70 antivirus and reputation services, and depending on the module and the time, you'll see references to 90+ engines or even more than 100 tools, including sandboxes and community detection rules. This "multi-engine" approach raises the bar compared to scanning with a single product.

In practice you can send three types of artifacts: Files (File), URLs and network resources (domains/IP)With each submission, the platform generates a report that includes vendors who flagged the item as malicious, along with technical metadata, relationships with other IOCs, and community feedback.

Another distinguishing feature is the community of analysts and users, which adds comments and findings; along with telemetry from multiple sources, this provides contextual signals about campaigns, related infrastructure, and the potential origin of a threat.

Advantages, limits and precautions

Among the advantages is the use of dozens of concurrent security engines, which reduces the risk of missing malware families that a single antivirus would miss. In addition, databases They are updated very frequently, so the results are usually very up-to-date.

It is also a fast and free service, accessible from any browser and platform, allowing Get answers without installing toolsAdded to this is the wealth of its reports: observed behavior, network connections, signatures, file metadata, and community score.

On the other side of the scale: VirusTotal does not protect in real timeIt doesn't monitor the system or block processes. It's a proactive and timely scanner. False positives (one engine alerts and the others don't) and false negatives can occur if the malware is designed to evade automatic scanning.

In addition, you must consider the metadata exposure and know the type of fileAs a rule, submissions contribute to the research ecosystem. In corporate environments, the Google Workspace integration minimizes this by only sharing hashes when the administrator chooses to view a report, but it's important to understand what's being shared in each stream.

With these premises in mind, the key is in interpret the report judiciously and combine it with other security layers (local antivirus, EDR, IDS/IPS, and hardening policies) to make informed decisions.

Analyze a file with the "File" tab

To get started, go to the File tab, choose the file from your computer and press the blue button “Confirm upload” to upload it. You can upload binaries, ofimatic documents, compressions, among others. The service will release the sample to multiple antivirus engines and other reputation sources.

Once finished, a header is displayed with the number of engines marking detectionIf a provider detects it, you'll see the details in the "Detection" tab, which lists the family names or heuristics reported by each engine.

In “Details” you will find metadata: file type, hashes (MD5, SHA-1, SHA-256), size, dates (compilation, modification) and other triage-friendly information. The "Relations" tab maps connections to other artifacts (downloaders, C2 servers, related URLs, sibling files). Finally, "Community" aggregates comments from other users.

Among the most well-known engines that can be used are industry classics. As an example, many reports include names like Avira, Kaspersky, Microsoft, ESET, Bitdefender and more. Here's a representative list of common file scanning engines:

• Ad-Aware
• AhnLab-V3
• Avast Mobile
• Avira
• Bit Defender
• Eset-NOD32
• F-Secure
• Fortinet
• Kaspersky
• Malware bytes
• McAfee
• Microsoft
• Panda
• Sophos AV
• Symantec
• Trust look
• TrendMicro
• GData
• Comfortable
• AVG
• Avast

When alone one or two engines are red and the rest are clean, it could be a false positive. If several engines agree and name specific families, the suspicion gains weight. As a practical rule, do not run anything if there are detections, even if they are few, and compare it with your local antivirus or perform a secure sandbox analysis.

Analyze URLs before entering

The URL tab allows you to paste a link and submit it to more than one 70 reputational engines and listsThis is especially useful for protecting online purchases, corporate logins, or campaigns with shortened links.

In the report you will see how many engines consider the address malicious; if only a couple alert and the rest do not, we would be facing a possible false positiveThe “Detection” tab summarizes the distribution of results, and “Details” provides metadata about the server, technology, observed trackers, and meta tags.

If there are comments in “Community”, read them: sometimes other users contribute context on recent incidents or confirm harmlessness. Use this as an additional signal, not the sole criterion.

Search: domains, IPs and additional context

The Search module allows you to enter a URL, domain, or IP address to obtain reputation context; after analyzing a domain, the header may indicate, for example, the number of URLs under that domain visible in the VirusTotal dataset.

You will find signs like the popularity ranking on Cisco Umbrella, the most recently used DNS servers, the most recent HTTPS certificate (with issuer, fingerprint, and validity), and domain registration information (WHOIS). You'll even see what's indexed on Google for that domain.

These data are gold for investigating possible links: pivots from a hash to your download domain, view shared certificates, or block domains related to a campaign your team detected early on.

How to interpret tabs and report results

• “Detection” brings together the vision of engines. Not all of them score equally: some tend to be more aggressive with heuristics, others more conservative. Consistency across multiple providers and the emergence of familiar family names boost confidence.
• “Details” is your technical sheet: hashes, size, MIME type, dates, digital signature, permissions (on Android), macros in documents, etc. This view provides identifiers to share with other analysts and to search for correlations in SIEM/EDR.
• “Relations” draws the graph: which URLs host the file, which IPs it contacts, what other files it downloaded or were downloaded by it. It is the starting point for cut off related infrastructure (perimeter blocks, deny lists, campaign tracking).
• “Community” aggregates votes and comments; it does not replace technical judgment, but it contributes first-hand signs from other teams that have seen the same thing on the field.

VirusTotal reports integrated into Google Workspace

In organizations with Google Workspace, the Security Center's investigation tool allows you to open VirusTotal reports related to Gmail and Chrome to enrich research without leaving the environment.

Important notes about this corporate integration that you should keep in mind to operate with guarantees: “Security Center > VirusTotal > View Report” privilege requiredVirusTotal isn't used here for "detection," but rather to add context and reputation; the data (hashes) is only shared with VirusTotal when the administrator clicks "View VirusTotal Report."

• VirusTotal data is part of a shared ecosystem for the security community.
• These reports can also be opened from the Alert Center.

How to view reports related to gmail from the administration console:

1. Sign in to admin.google.com with an administrator account.
2. Select “Gmail Messages” or “Gmail Log Events” as the source.
3. Add the condition “Has an attachment.”
4. Run the search and open a result by message ID or Subject.
5. In the side panel, under the “Message” or “Conversation” tab, click “View VirusTotal report.”

To Chrome (log events):

1. Go to the console and select “Chrome Log Events.”
2. Add the desired condition and run the search.
3. In the results, open a link from the “Content Hash” column.
4. In the side panel, click “View VirusTotal report.”

The integrated report includes multi-vendor reputation and useful details for triage, such as the first and last dates of detection of a threat and the indicators observed.

Standard Reports vs. Enhanced (Enterprise) Version

In Workspace you will see two report modes: the version standard (requires “View Report” privilege and compatible editing) and version improved, which automatically appears to paying VirusTotal Enterprise subscribers logged in to virustotal.com.

key features from the standard version:

• Threat reputation based on more than 70 suppliers.
• Propagation time: first detections and temporary activity.
• File identification: hashes, type, size, signature, etc.

What it brings the improved version:

• Multi-angle detection: community rules (YARA, Sigma, IDS) and social scoring.
• Reference allow lists to rule out false positives (NIST, Microsoft clean feed, software distributors, etc.).
• Related IOCs and its infrastructure (downloaders, C2, delivery vectors).
• Interactive threat chart to visualize relationships between artifacts.
• Security metadata: editor, malicious macros, Android permissions, and more.
• Campaign details: geography, deception techniques and propagation patterns.
• Pivoting by attributes to discover threats with common properties.

practical benefits from the improved version:

• Better early detection thanks to community rules before there is consensus among antiviruses.
• More agile investigations combining internal sightings with global context.
• Faster resolution with threat graph and related IOCs to measure impact and block preemptively.
• Proactive strategy: pivot to infrastructure not yet observed and anticipate campaigns.

More use cases in Enterprise subscription: automated alert enrichment, triage and forensics, advanced threat intelligence and hunting, phishing and brand monitoring, red team support and bug hunting, and vulnerability prioritization according to risk and observed exploitation.

Privacy, legal and quota considerations

VirusTotal is a product of Alphabet. By using it you agree to its Terms of Service and Privacy PolicyIn Workspace environments, when you open a report from the investigation tool, the attachment/domain/IP hash is shared with VirusTotal to retrieve the rating; if the administrator doesn't open the report, nothing is shared.

VirusTotal data is shared with the security community to promote collaboration and coordinated threat response. For VirusTotal Enterprise customers, opening reports from the Workspace research tool does not consume quota; opening pages on virustotal.com does count toward your regular quota.

Good practices and additional security

Use VirusTotal as verification layer before executionIf a file or URL shows signs of risk, do not open or visit it. Check the verdict with your antivirus and, when possible, find out how to detect and delete suspicious files or with a controlled sandbox.

Avoid climbing sensitive or proprietary samples If you're concerned about metadata exposure, consider uploading only the hash or using flows where sharing is limited (such as the Workspace integration that shares hashes when querying the report).

Harden the endpoint with multiple layers: a well-configured antivirus such as Microsoft Defender, an EDR that provides behavioral detection, and a network IDS/IPS for inspection and blocking in transit. No single tool is enough; there's strength in the combination.

If you work with office documents, disable default macros and digitally sign your own executables. Check signatures and certificates: A valid and known signature reduces the risk (though it doesn't eliminate it if your identity has been compromised).

VirusTotal is cross-platform and there are mobile clients. For Android, there is an app (for example, version 2.5.4 in a May 2025 revision), useful for validating links and files on the fly; remember that the principle is the same: reputation and context, not resident protection.

Related article:

Complete guide to analyzing suspicious files with VirusTotal and understanding the results

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.