VirusTotal — Tool Overview

What is VirusTotal?

VirusTotal is a free, web-based threat intelligence service that aggregates results from over 70 antivirus engines, URL scanners, and security vendors to analyze suspicious files, hashes, URLs, IP addresses, and domains. It is widely used across the security community as a quick and reliable reference point during threat investigations. No account or login is required for basic lookups, making it immediately accessible to analysts at any level.

Key Features Relevant to SOC Operations

Hash Lookup Analysts can submit a file hash (MD5, SHA1, or SHA256) to determine whether it has been previously identified as malicious. VirusTotal returns a detection ratio (e.g., 42/72 engines flagged this file), the malware family name, and behavioral tags. This is the most common use case for L1 endpoint investigations.

File Analysis If a file itself is submitted, VirusTotal will scan it across all integrated engines and return detailed results including threat category, file metadata, and any associated indicators.

URL and Domain Lookup URLs and domains can be checked for known malicious activity, phishing associations, or connections to threat infrastructure. This is covered in greater depth in the network IOC investigation wiki entries.

IP Address Lookup IP addresses can be queried to check for known malicious activity, threat actor associations, and historical context. Again, more detail on this use case is covered in the network investigation entries.

Community and Vendor Context VirusTotal aggregates comments and context from the broader security community and vendors, which can provide additional investigative leads beyond the raw detection ratio.

How SOC Analysts Use VirusTotal

During endpoint investigations, VirusTotal is used to cross-reference a hash identified in Tanium against known threat intelligence. A high detection ratio across multiple engines is a strong indicator of malicious activity and should be documented in the ticket. A low or zero detection ratio does not necessarily mean a file is clean — it may indicate a novel or targeted threat, which warrants further investigation and should be noted accordingly.

Investigative Note: Always document the detection ratio, malware family name (if available), and the date of the lookup in your ticket notes. Threat intelligence can change as new engines update their definitions.

Access

VirusTotal is accessible at virustotal.com. No account is required for basic searches. Creating a free account unlocks additional search history and API features, but is not required for standard L1 investigations.

Knowledge Base | Tools

Tanium — Tool Overview
By

What is Tanium? Tanium is an enterprise endpoint management and security platform that enables real-time visibility and control across every device in the environment. Unlike traditional security tools that rely on scheduled scans or passive data collection, Tanium queries endpoints directly and returns results in real time. For SOC analysts, this means the ability to…

Read More Tanium — Tool Overview
Concepts | Knowledge Base

False Positive vs. True Positive
By

The distinction between a false positive and a true positive hinges on a single question: Did the tool or rule do what it was designed to do? True Positive A true positive occurs when a rule fires correctly, in accordance with its defined logic and conditions. The detection behaved exactly as intended based on how…

Read More False Positive vs. True Positive
Analysis | Knowledge Base | Operations | Techniques | Threat Intelligence | Tools

Cyber Analysis 102
By

Endpoint Analysis & Asset Investigation — L1 SOC Analyst Guide Overview This guide covers the initial steps for investigating endpoint alerts for the L1 Analyst onboarding. The focus is on determining whether a known malicious hash exists in the environment and identifying the affected device and its user. By the end of this section you…

Read More Cyber Analysis 102
History | Knowledge Base

The Architects of Thought: Babbage, Lovelace, and the Birth of Computing
By

Introduction Long before the first transistor or the first line of code, the blueprint for the digital age was etched into brass gears and Victorian imagination. At New World Intelligence, we look forward—but to understand where technology is going, we must look back at the duo who first realized that machines could do more than…

Read More The Architects of Thought: Babbage, Lovelace, and the Birth of Computing
Analysis | Concepts | Knowledge Base | Platforms | Techniques | Threat Intelligence | Tools

The Triple Punch
By

Standard Endpoint Investigation Workflow Objective: To determine if a file is safe or malicious, find out who has it, and confirm if security controls (Antivirus) took action. Punch 1: The Inventory Hunt (Scope & Presence) Punch 2: The Reputation Check (Global Intel) Punch 3: The Log Audit (Security Action) Investigation Summary Checklist

Read More The Triple Punch
Analysis | Knowledge Base | Operations | Platforms | Techniques | Threat Intelligence | Tools

Standard Endpoint Investigation
By

Objective: Determine the distribution of a specific file across the environment to establish a baseline for the investigation. Exercise Note: For this instructional walkthrough, a Standard Reference MD5 Hash is utilized. This allows the Analyst to practice the workflow using a known, high-incidence file to ensure the system and parameters are responding as expected. Step…

Read More Standard Endpoint Investigation

What is VirusTotal?

Key Features Relevant to SOC Operations

How SOC Analysts Use VirusTotal

Access

Similar Posts