4 things you should know about testing AV software with VirusTotal's free online multiscanner

4 things you should know about testing AV software with VirusTotal’s free online multiscanner

As COVID-19 soldiers on, small and medium-size businesses now feel as ripe for malware attacks as deep-pocketed multinationals.

SMBs see that, along with remote work, our pandemic has also brought troubling new holes to their security. This means cybercriminals—equal opportunity charlatans that they are—now simply cast wider nets to snare any and all businesses. Large or small. Young or old. Public or private. Profitable or those just barely getting by.

For defense against these new vulnerabilities, nervous teams often purchase an endpoint protection solution. But, research shows, most SMBs are skeptical about the job their product is doing.

In Malwarebytes’ recent SMB Cybersecurity Trust & Confidence Report, 47% of respondents said their endpoint protection wasn’t up to the task of stopping new threats. Remarked a respondent: “Even a combination of solutions can’t catch every threat. Just like a flu shot can’t prevent every strain of the flu.”

According to the report, about 65% of SMBs with 50-99 employees try to make double-sure their endpoint protection is working as advertised by testing it.

And to do so, they often turn to VirusTotal.

If you’re not familiar with VirusTotal, it’s a service owned by Chronicle (part of Google/Alphabet). It offers a free service that lets you upload suspicious files and URLs for, where it inspects them and checks for viruses using 70+ third-party antivirus products, URL/domain blocklisting services, and other tools. It also offers a range of paid-for Premium Services, but in this article we will focus on its free offering.

Naturally, the price tag for analyzing malware (free) is appealing to SMBs on a limited budget. And the simplicity appeals to teams with limited resources and technical staff.

But is this the best testing solution for SMBs? Let’s explore.

1. VirusTotal isn’t running the same AV software as you

To stay up-to-date against both known and zero-day threats, endpoint protection providers update their products and protection software almost continuously. VirusTotal maintains a collection of over 70 endpoint protection solutions, and there is no guarantee that its version of what you’re running is as up to date as your version. This means they’re sometimes testing an SMB’s suspicious items with outdated AV software.

The service also runs command line versions of the AV software it tests with, rather than the GUI versions. In its own words, that means “…depending on the product, they will not behave exactly the same as the desktop versions.”

Lastly, the free version of VirusTotal performs a static analysis of your file. A more detailed and realistic view of the file is available through its Premium Services, which analyze them running in a sandbox environment.

It’s no surprise then that the free version of VirusTotal does not mirror your environment, which can easily lead to a false negative.

2. Some infections aren’t triggered in VirusTotal

Cybercriminals are getting smarter. They now create malware that senses when it’s in the VirusTotal environment, and therefore it won’t detonate. The virus just lays low until given the green light by VirusTotal. Then, when the unsuspecting SMB releases the “clean” item to their live endpoints, it wakes up and delivers the payload.

These nefarious threat actors are even getting cheeky. They sometimes program their malware to send a rude message to SMBs once the malware has exploded, taunting them for trying to outsmart them.

3. VirusTotal doesn’t want your private data

When uploading a suspicious file to VirusTotal, an SMB may also inadvertently include sensitive information. This is especially true among teams with inexperienced staff who are less familiar with what’s included in the sample.

Exposed info can range from internal data (like payroll records or intellectual property) to external information (such as customer passwords and banking information). This unprotected data can leak out to other VirusTotal customers or cybercriminals.

This is why many SMBs with compliance regulations, or those with advanced safety protocols, prohibit the use of VirusTotal, and it’s why the service’s home page says clearly: “Please do not submit any personal information.”

4. VirusTotal isn’t a testing tool

In many ways, VirusTotal is a victim of its own success. While it’s very useful for testing AV solutions it has always been clear that’s not what it’s for. Its job is to help antivirus vendors, as its FAQ makes plain:

VirusTotal service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors

The company shows no signs of embracing its widespread misapplication either. Instead, the company’s future centers around building its premium service, VirusTotal Intelligence. It lets subscribers download virus samples from VirusTotal to a team’s own test environment. SMBs can then scan these samples internally using their endpoint protection solution, to see what they catch or miss.

Is VirusTotal the answer?

Bottom line: VirusTotal is a free service staffed with top professionals. But testing the efficacy of your AV solution is not its focus. You’ll have to weigh the pros and cons. VirusTotal is useful for testing, and the price is right (you can’t beat free), but its shortcomings could have a major impact on your business and endpoint protection.

In a follow-up article, we’ll discuss viable options beyond VirusTotal for testing and verifying your endpoint protection.