In addition to VirusTotal, Jotti has also made something of a name for itself as an online virus checking service. Jotti allows files of up to 20 MB to be uploaded, but uses just 20 anti-virus products (Linux versions). No plugins or APIs are available at present. Developer Jan Wester has, however, released a free upload tool for Windows, going by the name of JottiQ.
JottiQ runs as a separate browser-independent application into which, once started, files can be dragged and dropped for checking. In contrast to the VirusTotal plugins, the files do need already to be present on the user's system. The status of each file, including the progress of uploads and whether the server is still performing the scan, is displayed. JottiQ also adds a 'Scan with JottiQ' option to the Windows Explorer pop-up menu, which, if clicked, runs checks on the selected file. JottiQ displays the results clearly in a separate window.
Less well known is NoVirusThanks (NVT), which supposedly checks files using 26 anti-virus products from a range of vendors. Uploaded files are subject to a size limit of 20 MB. Tests by heise Security found that NVT only returned results from 16 products, however. NVT also offers the 'NoVirusThanks-Uploader', a Windows tool for uploading without using a browser, but it has a tighter size restriction of 5 MB. The NVT uploader also provides an overview of running processes and other system information.
Should VirusTotal, Jotti or NVT fail to find a virus, this does not guarantee that a file is not malignant. The problem with all of these services is that they are essentially signature-based and do not monitor how a file behaves when opened. Virus programmers put a lot of effort into polishing their malware to avoid signature-based detection, and from our own observations using newly released malware, it is not uncommon for none of the major anti-virus products to sound the alarm.
ThreatExpert, from the company behind behavioural detection system ThreatFire, is an online virus checker which analyses and evaluates file behaviour. Upload size is limited to 5 MB. ThreatExpert does not immediately show the results of checks, which can easily take 10 minutes or more. Instead, it sends an email containing a link to the results to the address entered by the user when finished. But watch out – in our tests the notification emails were filtered as spam.
A look at the report is impressive – while only three more obscure products on VirusTotal pointed a vague finger of suspicion at our suspect file, ThreatExpert's report was much less ambivalent. As well as assessing it as a "possible security risk", it also provided details of program behaviour. The program inserts itself into the system via the registry, calls Facebook and MySpace profile pages and then registers with an IRC server. You don't have to be a malware expert to identify it as a bot remotely controlled via IRC.
ThreatExpert has a Submission Applet for Windows users which can be used to send files without using a browser. Reports, however, are only available online.
The tools described here are no substitute for installing and activating anti-virus software under Windows, as these remain the only option for protecting a system in real time. Online virus checkers can, however, help users better assess the risks posed by downloaded files.