In association with heise online

25 July 2012, 11:43

VirusTotal online scanner adds behaviour analysis

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

VirusTotal logo The developers of the VirusTotal online virus scanner service are currently testing a new sandbox feature to provide users with more meaningful scan results. In a post on the company's blog, software architect and developer

An analysis of the uploaded file's behaviour is then displayed in a new "Behavioural information" tab as part of the scan results. VirusTotal logs file and registry activities as well as new processes and code injections. The scanner also issues a notification when a file directly sends commands to certain device drivers.

With the free online service, users can submit URLs and files to be analysed by various antivirus engines and scanners for malicious content such as viruses, worms and trojans. However, it is often only the heuristics that flag up issues – which can be identified by result descriptions that contain keywords such as "Heur", "Suspicious" or "Generic". Occasionally, this causes legitimate files to be regarded as suspected viruses without giving users the option to establish whether there is an actual threat.

Even a sandbox analysis carries a residual risk as some trojans quietly check whether they are being executed in a virtual environment when they're launching. If this is the case, they will act inconspicuously, only launching their malicious payload on a real Windows system.

The behaviour analysis is currently being carried out by the scan engines at a different time than the virus analysis. It only scans executable files that are less than 8 MB in size and were previously unknown to VirusTotal. Therefore, it makes sense to keep the results page open and reload it occasionally to check whether a new data has been added.

Martinez notes that the behaviour analysis is still in its early days, and that there is no guarantee that uploaded files will undergo the added analysis. The company uses Claudio Guarnieri's open source Cuckoo sandbox. Incidentally, VirusTotal is far from being the only online tool to use a sandbox: Anubis, MWAnalysis CWSandbox and ThreatExpert have offered similar services for quite some time.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit