In association with heise online

10 February 2011, 15:33

Useful tools for online virus checkers

Daniel Bachfeld

VirusTotal, the most popular virus checking service, uses 42 different anti-virus products to test files for infection. The normal procedure for using this site is as follows: a user downloads a suspicious file to his or her computer, goes to the VirusTotal website and then uploads the file. By the time he or she has done so, the user may already be deep in the mire – either because the web site or downloaded file has set alarm bells ringing in their anti-virus software, or because it has exploited a vulnerability in their system. With the right tools, this can be avoided.

VirusTotal has created the VTZilla and VTchromizer plugins for Firefox and Chrome, respectively. They send the URL of a web page or file to be checked out directly to VirusTotal, which then downloads the web page or file so you don't have to. Both plugins add a 'Scan with VirusTotal' option to the menu that is opened when the user right-clicks on a link from within the browser.

The browser plug-in extends the context menu of the browser and allows file-scan without downloading the file itself
Clicking on this option launches a new browser window which displays a report on the requested URL. VirusTotal uses six URL analysis tools from Firefox, G-Data, Google (Safebrowsing API), Opera, ParetoLogic and Phishtank to check whether a URL is known to be linked with any threats. This allows users to assess the risk of visiting a website beforehand.

If the link is to a downloadable file, VirusTotal downloads and checks it. The header of the URL test report contains a fairly well hidden 'Antivirus Report' option with a link to 'View downloaded file analysis'. Clicking on this displays the results of the check.

In Firefox, the plugin installs itself as an additional toolbar; in Chrome it adds an unassuming button next to the address bar. Both plugins offer a 'Scan current site' function which can be used to check the URL of the site currently being viewed. It is also possible to enter URLs to be checked directly into a toolbar field designed for the purpose, so that users are not restricted to the current URL or pages linked from it.

Zoom The VTzilla plug-in enhances Firefox' download dialogue with a scan option.
The plugins also add another, at first sight less conspicuous, feature: in addition to the usual 'Open with' and 'Save' options, the download dialog now offers an additional 'Scan file' option. Whether or not this option is displayed depends on the file extension and type of file being downloaded. For example, it is always displayed for executable .exe files but for a PDF file, it depends on whether the PDF viewer is integrated into the browser.

If PDF files are opened automatically in Firefox or automatically downloaded and opened in a PDF viewer, the user needs to set the associated action under Tools/Options/Applications to 'Always ask'. This ensures that this download dialog is always displayed and that the user is offered the opportunity to stop malicious PDFs from being automatically opened which would let them go about their nefarious business.

Zoom You may need to disable in Firefox the automatic opening of files in order to get the download dialog to appear.
Unfortunately, it is not possible to configure the standard action in Chrome. The only way of stopping PDF files from being opened automatically is to deactivate the PDF plugin via 'about:plugins'.

Sometimes you may wish to test files which are already on your hard drive or on external media such as a USB flash drive. VTUploader offers a simple way of uploading files, in that it adds a new 'VirusTotal' option to the 'Send To' option in the Windows Explorer pop-up menu. The results are still displayed in a new browser window, but VTUploader does save the user a few steps along the way. If VTUploader is launched conventionally, it even offers a list of recently executed processes, the binaries for which can be uploaded for testing.

Zoom The VT Uploader even allows you to upload the binary files of running processes.
As well as browser-based file uploading, VirusTotal also supports file transfer and receipt of reports via its own API. A range of Python, Perl, Ruby and PHP scripts are used to upload files to the server and process the results. Sample implementations can be found in the API documentation. To use the API, the script has to send a personal API key unique to each user with each request, but this is issued free on registering. The API allows users to make 20 requests in five minutes.

Next – Alternative Services

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit