VirusTotal is an online service that analyzes suspicious files, URLs, domains, and IP addresses to detect various types of malware and cyber threats by aggregating data from multiple antivirus engines and scanning tools.

How does VirusTotal work?

Users submit suspicious items (files, URLs) to VirusTotal. The platform then scans these items using a multitude of antivirus engines and blacklisting services, compiling the results into a comprehensive report.

Is VirusTotal free to use?

VirusTotal offers a free community API for non-commercial use, which includes rate limits. Commercial use and advanced features require a premium subscription with custom enterprise pricing.

What kind of threats can VirusTotal detect?

VirusTotal can detect a wide range of threats, including viruses, worms, Trojans, ransomware, phishing attempts, malicious URLs, and potentially unwanted programs (PUPs), based on the collective intelligence of its integrated security solutions.

Can I integrate VirusTotal with my security tools?

Yes, VirusTotal provides an API that allows developers to integrate its threat intelligence capabilities into various security tools, such as SIEM systems, SOAR platforms, EDR solutions, and custom applications, for automated analysis and threat correlation.

VirusTotal was acquired by Google in 2012 and operates as part of Chronicle, a Google Cloud security company.

VirusTotal — Threat Intelligence Platform for Security Analysis

Overview

VirusTotal is an online service that analyzes suspicious files, URLs, domains, and IP addresses for malware and other cyber threats. It functions by aggregating data from a multitude of antivirus engines, website scanners, and data-extraction tools. This aggregated information provides users with a comprehensive context for understanding potential threats, rather than relying on a single detection source. The platform was founded in 2004 and acquired by Google in 2012, operating as part of Chronicle, a Google Cloud security company.

The primary utility of VirusTotal lies in its ability to offer a "second opinion" on potentially malicious entities. When a file or URL is submitted, VirusTotal distributes it to approximately 70 antivirus scanners and various URL/domain blacklisting services simultaneously. The results are then compiled and presented to the user, indicating how many engines flagged the submission as malicious. This multi-engine approach helps overcome the limitations of individual antivirus products, as no single engine can detect all threats.

VirusTotal is utilized by a diverse audience, including security researchers, incident response teams, threat hunters, and security operations centers. For developers, the VirusTotal API allows for programmatic submission of files and URLs, retrieval of analysis reports, and querying of historical data. This enables automation of threat intelligence gathering, integration into Security Information and Event Management (SIEM) systems, and enhancement of internal security tools. The API supports various operations, such as uploading files, scanning URLs, retrieving file and URL reports, and accessing behavioral information from sandboxed executions. The community API is available for non-commercial use, with premium services offering higher rate limits and advanced features for enterprise applications.

The platform excels in scenarios requiring rapid and broad threat assessment. For instance, an incident response team can quickly analyze a suspicious email attachment or a phishing URL to determine its maliciousness across a wide array of detection mechanisms. Threat hunters can use its extensive dataset to investigate indicators of compromise (IOCs), while security researchers leverage it for malware analysis and understanding threat landscapes. The public API offers extensive capabilities for submitting and retrieving analysis results, utilizing API keys for authentication and enforcing rate limits that vary between the free and premium tiers, as detailed in the VirusTotal API reference.

Key features

File Analysis: Submits files for scanning against a database of antivirus engines and behavioral analysis tools, providing detection rates and detailed reports.
URL Analysis: Scans URLs against multiple website scanners and blacklisting services to identify malicious or phishing links.
Domain Analysis: Provides intelligence on specific domains, including associated IP addresses, subdomains, and historical WHOIS data.
IP Address Analysis: Offers context for IP addresses, such as geolocation, associated domains, and historical reputation.
Threat Intelligence Data: Accesses a vast repository of historical analysis results and behavioral information on known threats.
VT Graph: Visualizes relationships between files, URLs, domains, and IP addresses to understand attack campaigns and infrastructure.
YARA Rules: Supports the application of custom YARA rules to scan files and identify specific patterns of malware.
LiveHunt: Allows users to set up continuous monitoring for new files matching specific YARA rules or other criteria.
Retrohunt: Enables scanning of historical file submissions with new YARA rules to uncover previously undetected threats.

Pricing

VirusTotal offers a community API for non-commercial use, subject to rate limits. For commercial and advanced applications, custom enterprise pricing is available based on specific usage requirements and features. Details on premium services can be found on the VirusTotal Premium Services page.

Service Tier	Description	Pricing (As of 2026-05-28)
Community API	Non-commercial use, rate-limited access to core analysis features.	Free
Premium Services	Higher API rate limits, advanced features (e.g., VT Graph, LiveHunt, Retrohunt), dedicated support.	Custom enterprise pricing (contact sales)

Common integrations

VirusTotal's API and data are commonly integrated into various security architectures and tools. Typical integrations include:

SIEM Systems: Integrating VirusTotal data into Security Information and Event Management platforms to enrich alerts with threat intelligence.
SOAR Platforms: Automating incident response playbooks by incorporating VirusTotal scans for suspicious indicators within Security Orchestration, Automation, and Response systems.
Endpoint Detection and Response (EDR) Tools: Enhancing EDR capabilities by cross-referencing file hashes and process information with VirusTotal's extensive threat database.
Email Security Gateways: Automatically scanning email attachments and URLs for malicious content before delivery.
Threat Intelligence Platforms: Feeding VirusTotal data into broader threat intelligence platforms to provide a more holistic view of the threat landscape.
Custom Security Applications: Developers can build custom tools for malware analysis, threat hunting, and automated security checks using the VirusTotal documentation.

Alternatives

ANY.RUN: An interactive malware analysis sandbox that allows users to analyze threats in real-time within a virtual environment.
Hybrid Analysis: A free malware analysis service that detects and analyzes unknown threats using a unique combination of static and dynamic analysis.
Censys: A search engine that identifies and analyzes every host and device on the Internet, providing insights into attack surfaces and vulnerabilities.

Getting started

To get started with the VirusTotal API, you'll need an API key. For the public API, you can obtain one by signing up on their website. The following Python example demonstrates how to submit a file for analysis and retrieve its report. Before running, ensure you have the requests library installed (pip install requests).

import requests
import time

API_KEY = 'YOUR_VIRUSTOTAL_API_KEY' # Replace with your actual API key
FILE_PATH = 'path/to/your/suspicious_file.exe' # Replace with the path to the file you want to analyze

def upload_and_analyze_file(api_key, file_path):
    url = 'https://www.virustotal.com/api/v3/files'
    headers = {
        'x-apikey': api_key
    }
    
    try:
        with open(file_path, 'rb') as f:
            files = {'file': (file_path.split('/')[-1], f)}
            response = requests.post(url, headers=headers, files=files)
            response.raise_for_status() # Raise an exception for HTTP errors
            
            result = response.json()
            if 'data' in result and 'id' in result['data']:
                analysis_id = result['data']['id']
                print(f"File uploaded. Analysis ID: {analysis_id}")
                return analysis_id
            else:
                print(f"Error uploading file: {result}")
                return None
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return None
    except FileNotFoundError:
        print(f"Error: File not found at {file_path}")
        return None

def get_analysis_report(api_key, analysis_id):
    url = f'https://www.virustotal.com/api/v3/analyses/{analysis_id}'
    headers = {
        'x-apikey': api_key
    }
    
    for _ in range(10): # Try fetching report multiple times
        time.sleep(10) # Wait for analysis to complete
        try:
            response = requests.get(url, headers=headers)
            response.raise_for_status()
            
            report = response.json()
            status = report['data']['attributes']['status']
            print(f"Analysis status: {status}")
            
            if status == 'completed':
                return report
            elif status == 'queued' or status == 'in_progress':
                print("Analysis still in progress, waiting...")
            else:
                print(f"Unexpected analysis status: {status}")
                return None
        except requests.exceptions.RequestException as e:
            print(f"Request failed: {e}")
            return None
    print("Analysis timed out or failed to complete.")
    return None

if __name__ == '__main__':
    # Example usage
    # Make sure to replace API_KEY and FILE_PATH with your details
    analysis_id = upload_and_analyze_file(API_KEY, FILE_PATH)
    if analysis_id:
        report = get_analysis_report(API_KEY, analysis_id)
        if report:
            print("\n--- Analysis Report ---")
            # You can parse and display relevant information from the report
            # For a full report structure, refer to the VirusTotal API documentation:
            # https://docs.virustotal.com/reference/files-analysis-object
            stats = report['data']['attributes']['stats']
            print(f"Detections: {stats.get('malicious', 0)} / {stats.get('total_votes', 0)} (malicious/total)")
            if stats.get('malicious', 0) > 0:
                print("This file is likely malicious.")
            else:
                print("This file appears clean or no detections.")
            
            # Example of getting specific engine results
            # results = report['data']['attributes']['results']
            # for engine_name, engine_data in results.items():
            #     if engine_data['category'] == 'malicious':
            #         print(f"  {engine_name}: {engine_data['result']}")
        else:
            print("Could not retrieve analysis report.")
    else:
        print("File upload failed.")

VirusTotal

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments