VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. VirusTotal reports provide many crowdsourced details on why a domain, file attachment, or IP address might be considered risky. (For more details, see the VirusTotal website.)
From the security investigation tool, you can directly access VirusTotal reports related to email attachments circulating in your organization, or related to Chrome log events. This enables you to gain threat context and reputation data relevant to an investigation. For example, a VirusTotal report might show you that multiple security vendors have flagged a specific domain as malicious.
Note:
- To view VirusTotal reports from the investigation tool, you need the Security CenterVirusTotalView report privilege.
- VirusTotal is not used to detect malware or other security threats. VirusTotal expands on the results of an investigation by providing further security insights, and by assisting you in decision making as you address security concerns.
- Data (file attachment hashes) is only shared to VirusTotal after your admin selects to view the VirusTotal report. No data is otherwise shared.
- VirusTotal data is shared with the broader security community. This enables security vendors to collaborate with each other, share important details, and take action to fight security threats.
- You can also view VirusTotal reports from the alert center to gain additional security insights related to alerts. For details, see View VirusTotal reports from the alert center.
View VirusTotal reports related to Gmail
-
Sign in to your Google Admin console at admin.google.com.
Sign in using your administrator account (does not end in @gmail.com). -
From the left-navigation menu, go to SecuritySecurity centerInvestigation tool.
- Choose Gmail messages or Gmail log events as the data source for your search.
- Click Add Condition, and choose Has attachment.
- Click Search.
- From one of the items in the search results at the bottom of the page, click the Message ID link or Subject link.
- From the side panel, click the Message tab or Thread tab.
- Click View VirusTotal Report.
The VirusTotal report includes multiple sections with details about potential security threats. For example, you can view a list of security vendors that have flagged a file as malicious, and also view file scanning results for each of these vendors.
View VirusTotal reports related to Chrome
-
Sign in to your Google Admin console at admin.google.com.
Sign in using your administrator account (does not end in @gmail.com). -
From the left-navigation menu, go to SecuritySecurity centerInvestigation tool.
- Choose Chrome log events as the data source for your search.
- Click Add Condition, and choose a condition for your search.
- Click Search.
- From the search results at the bottom of the page, click one of the links in the Content hash column.
- From the side panel, click View VirusTotal Report.
The VirusTotal report includes multiple sections with details about potential security threats.
Standard and Enhanced versions of VirusTotal reports
The VirusTotal report has two versions: Standard and Enhanced. The Standard version is displayed for admins who have the Security CenterVirusTotalView report privilege, and who have one of the required Google Workspace editions. The Enhanced version is automatically displayed for paid VirusTotal subscribers who have an active virustotal.com login session with their VT Enterprise user account.
For more information about VT Enterprise, and to request a trial, see the services overview on the VirusTotal website. To sign up for VT Enterprise, submit this form.
Features included in the Standard versionThe Standard version of VirusTotal reports includes the following:
- Threat reputation—Maliciousness assessments coming from 70+ security vendors.
- Threat time spread—Key dates that enable you to understand when a given threat was first observed in-the-wild and how long it’s been active.
- File identification—Identifiers and characteristics allowing you to reference the threat and share it with other analysts (file hashes, file type, size, etc.).
The Enhanced version of VirusTotal reports includes the same features provided in the Standard version plus the following:
- Multi-angular detection—Additional threat analysis coming from crowdsourced rule matches and community scoring (for example: YARA, Sigma, and IDS rules).
- Allowlist information—For Gmail log events, useful details to power false positive discarding (National Software Reference Library, Software Distributors, Microsoft Clean Metadata Feed, etc.).
- Related indicators of compromise (IOCs)—Examples of IOCs include a network infrastructure distributing a malware file, servers acting as a command-and-control for a given threat, first-stage delivery vectors for a file being studied, etc.
- Interactive threat graph—Graphical format that maps out entire threat campaigns by visualizing the relationships between IOCs.
- Security-relevant metadata—Includes software publisher information, identification of malicious macros in documents, Android application permissions, etc.
- In-the-wild details—Geographical and time-spread details for threats, common attacker deception techniques, and more, through VirusTotal submission metadata.
- Suspicious attribute pivoting—Clickable details in VirusTotal reports, allowing you to explore the global VirusTotal dataset for other threats that share the same properties.
Benefits and use cases for the Enhanced version
- Improved threat detection—Leverage crowdsourced rules to pinpoint and gain context on threats even when they aren’t yet widely known to security vendors.
- Expedited investigations and decision making—Increase your security team’s efficiency by complementing internal-only sightings with crowdsourced context. Adversaries target other organizations, too, and their footprints surface in VirusTotal—and this helps complete the picture for your security team. With the Enhanced version of VirusTotal reports, discarding false positives and confirming and escalating true positives is significantly faster.
- Improved threat remediation—Use the interactive threat graph and related artifacts to identify IOCs tied to a pertinent alert, and use them to fully understand the impact of an attack on your organization by searching through your security telemetry. For example: What are all the domains delivering a hash contained in one of your alerts? For each one of them, even if not seen yet in my environment, block them in the network perimeter.
- Proactive defense strategy—You can pivot into VT Enterprise and identify threat infrastructure that might not have surfaced in your logs. Or you can identify other malware operated by the same threat actor, and block this malware in your network perimeter and endpoints before it impacts your organization. For example: given a command-and-control domain for one of the files that you are studying, pivot to other domains registered by the same threat actor that may not have been leveraged in a campaign yet, and then preventatively block those domains in case they are eventually leveraged against your company.
For more details about the VirusTotal report features, see the services overview on the VirusTotal website. See also How it works - VirusTotal, or contact us to learn more.
Sign up for a VT Enterprise account
As described above, VirusTotal reports can include additional threat intelligence services and advanced features with the Enhanced version of VirusTotal reports. For more details, and to sign up for VT Enterprise, reach out to the VirusTotal team.
Legal notice
VirusTotal is an Alphabet product that analyzes suspicious files, URLs, domains and IP addresses to detect malware and other types of threats, and automatically shares them with the security community.
To view VirusTotal reports, you’ll be submitting file attachment hashes, IP addresses, or domains to VirusTotal.
By using VirusTotal, you acknowledge that the VirusTotal Terms of Service and Privacy Policy apply to your submitted data and VirusTotal may share your data submission with the security community.
Common questions
Is there any additional cost for using the Standard version of VirusTotal reports?No. The Standard version of VirusTotal reports is available to administrators who have the Security CenterVirusTotalView report privilege.
If you want to enhance the experience and improve your decision making and investigative capabilities through advanced threat context and reputation, you need a paid VT Enterprise subscription.
Yes. If you have a paid VirusTotal subscription, also known as VT Enterprise, you’ll see enhanced results via the investigation tool without any impact to your VirusTotal quota. Quota is only used when opening virustotal.com pages.
For more information about VT Enterprise, and to request a trial, see the services overview on the VirusTotal website. To sign up for VT Enterprise, submit this form.
Yes. With VT Enterprise, you can implement other use cases particularly relevant for security operations centers, computer emergency response teams, incident response teams, and threat intelligence units:
- Automated security telemetry enrichment—This includes alert triage, false positive discarding, true positive confirmation, and confidence correlation.
- Incident response and forensic analysis—This includes security operations alert triage, incident analysis and context, artifact discovery, and IOC identification.
- Threat intelligence and advanced hunting—This includes unknown threat discovery, threat campaign monitoring, adversary tracking, preventative IOC identification, threat landscape exploration, and situational awareness.
- Anti-phishing, antifraud, brand, and corporate infrastructure monitoring—This includes phishing campaign tracking, banking trojan and info-stealer dissection, brand impersonation monitoring, malware distribution, and corporate infrastructure abuse identification.
- Red teaming and ethical hacking—This includes reconnaissance and passive fingerprinting, breach and attack simulation, and security stack validation.
- Vulnerability prioritization—This includes smart risk-driven patching strategies, in-the-wild vulnerability weaponization monitoring, and threat actor to vulnerability exploitation mapping.
For more details about how VT Enterprise can enhance your security operations, see the VirusTotal 360 overview. To learn more, contact our VirusTotal specialists.
No. All functionality is based on your admin selecting to view the VirusTotal report. Only after your admin performs this action are the file hash, domain, or IP address shared to VirusTotal to request the risk assessment report on the entity selected.
No. Opening VirusTotal reports via the investigation tool doesn’t use any of your VT Enterprise quota. If an admin opens the VirusTotal website to do more research from the investigation tool, that would count towards standard quota usage in the same way as directly visiting virustotal.com.
No. Only file hashes are sent to VirusTotal.