How to use VirusTotal Community

Fighting malware requires close collaboration. The overwhelming malware production rate, the growing problem of false positives and the everlasting threat of false negatives cannot be counteracted without the determined engagement of all actors involved in end-user system security.

Keeping this in mind, we have created VirusTotal Community, a space where the antivirus industry and malware reserchers can meet end-users in an effort to make the Internet a safer place. VirusTotal Community allows you to rate and place comments on files and web sites. Comments can be of any nature: disinfection instructions, in-the-wild locations, reverse engineering reports, etc.

Signing up to VT Community also entitles you to a VirusTotal public API key which enables you to write simple scripts to automate VirusTotal scans and file/URL report searches.

Contents

Audience
Getting started
Build your profile
Network of trust
Interact with other users
Review files and URLs
Address your comments
Tag your comments
Vote other's comments
Flag files and URLs as malicious or harmless
Visit your profile regularly
Retrieve your API key
Build VirusTotal Community reputation

Audience

This document is intended for anyone that wants to make use of VirusTotal Community. In other words, it is intended for any user that is willing to provide further information on files and URLs, or that wants to retrieve an API key to automate the interaction with VirusTotal.

No particular technical knowledge is required to understand the document.

Getting started

Becoming part of VirusTotal Community is very simple, click on the Join our community link at the top right hand corner of any VirusTotal page and a small registration form will open up.

You will need to provide at least a username that will identify you in the community, a valid email address and a password. Once you have completed the registration form, an email with an activation link will be sent to your email address. After following the activation link you will be able to sign in and start interacting with other users.

Build your profile

The goal of the registration process is simplicity. In order to build your profile further c

lick on the Settings option of the top right hand corner drop down menu after having signed in.

You can customize your picture, tell others who you really are, set your status phrase, and much more...

Network of trust

VirusTotal Community is based on reputation, there are two ways of increasing your reputation credits. The first one is to build a network of trust. When you visit another user's profile after having signed in you will see an interaction menu:

You can trust the visited user. Trusting someone adds 10% of your reputation credits to his account (without subtracting them from yours). There is no way to request trust other than telling another user (via private message) to trust you. Ideally, trust will be given based on the activity generated by a given user in the community, hence, there will be no need to ask for trust. If you ever come across a file/URL review that you like, visit the user's profile, look at the rest of comments that he has made and trust him if you believe he is making a good job.

Users that trust you and users that you trust will be added to the corresponding section of your personal profile, having a well-known community user in this list can act as a reputation booster with independence of your amount of credits.

Interact with other users

VirusTotal Community members can exchange private messages. Private messages are an ideal way to discuss confidential or sensible information, for example, requesting someone's email address for further discussion. To send a message to a given user just visit his profile and click on the corresponding button at the top right hand side:

Review files and URLs

At the bottom of each URL or file scan report there is a section devoted to comments. We strongly encourage users to review the samples or URLs they submit, it can be very useful information for other users.

For example, let us assume we are software developers. We have uploaded one of our programs to VirusTotal so as to verify whether any antivirus solution incorrectly detects it. Indeed, one of the engines flags our program as a virus, it is time to comment the file and tell other users that this is a false positive. Of course, we will not forget to provide evidence to defend our claim, this could be done by specifying our product's site and describing the program itself.

Note that comments are not report specific, they are file/url specific, in other words, your comments will not be tied to a given moment in time, future submissions of the same file or URL will show up your reviews.

Some ideas for the subject of your reviews:

• Description of the propagation/dissemination strategy of a given malware. You may want to include any links that download the sample, even though comments do not allow active links, please replace the http prefix with hxxp when referring to malicious content.
• Disinfection procedure to remove the malware sample (or even better, the family to which it belongs) from your system.
• Reverse engineering reports of malware samples.
• False positive notifications.

There are obviously many other subjects for your reviews, as long as it is helpful for someone it will always be an interesting post.

Address your comments

If you are answering another VirusTotal Community member's file or URL comment do not forget to address him your answer, you can do this by using the @user_nick syntax:

@EmilianoMartinez

All addressed comments will appear in the destinatary's profile mentions section.

Tag your comments

File and URL comments allow custom tags. In order to create a custom tag you just have to preceed the tag word with a "#" symbol inside the comment (twitter-like syntax):

These are the instructions to remove this family of
malware from your computer, I hope you find them useful...

[... Instructions ...]

#disinfection #zbot

These are some of the tags that you may want to use so as to create a standard community syntax:

• #malware: malicious file.
• #goodware: harmless file.
• #grayware: files that behave in a manner that is annoying or undesirable, and yet less serious or troublesome than malware.
• #spam-link: file located at a spammed link or URL travelling as a link in a spam message.
• #spam-attachment: file travelling as an attachment in some spam mail.
• #p2p-download: malware sample downloaded from a P2P network.
• #im-propagating: malware sample propagating via instant messaging
• #network-worm: worm that propagates through a network making use of some vulnerability exploit (e.g. MS04-011 used by the Sasser worm), network shares, or similar.
• #drive-by-download: Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet). Any download that happens without a person's knowledge. Download of spyware, a computer virus or any kind of malware that happens without a person's knowledge.
• #disinfection: Instructions to disinfect a computer from the given malware whose report is being rendered.
• #malicious: intended for URL comments, states that the URL is malicious.
• #benign: intended for URL comments, tates that the URL is harmless.
• #phishing-site: intended for URL comments, states that the site whose report is being rendered is part of a phishing scam.
• #browser-exploit: intended for URL comments, states that the site whose report is being rendered exploits browsers so as to install malware without the victim's knowledge.

Users can then search through the comments for specific tags using VirusTotal's search engine.

Vote other's comments

Below file or URL comments there is always a voting menu where you can tell us and other users whether you found the specific comment useful or not.

Useful comments will help other users to identify interesting reviews. Useful comments will also add reputation credits (10 points) to their authors. On the other hand, comments considered as not useful will subtract reputation credits from a given user (10 points), and they will help to identify misleading reviews.

Flag files and URLs as malicious or harmless

A false positive is when antivirus software identifies a non-malicious file as malware. A false negative is when antivirus software fails to detect a malicious file. False positives and false negatives are the main problem of today's antivirus and we believe that the way to counteract them is via file reputation systems.

VirusTotal has developed its own file reputation system, whenever you send a file or URL you will see at the top right hand side of the report a Google-O-Meter chart. This chart records the reputation of the file or URL whose report is being rendered and ranges from -100 (fully malicious reputation) to 100 (fully harmless reputation).

The file or URL reputation is built (among other factors) with the VirusTotal Community user votes, recorded by clicking on either the thumb-down (malicious) or thumb-up (harmless) icon below the reputation chart.

Therefore, even though the user votes are not the unique notion building the reputation index, we do strongly encourage users to vote files and URLs as malicious or harmless if they are absolutely certain about their nature. By doing this, VirusTotal Community members will be helping the antivirus industry in their endless battle against false positives and false negatives.

Visit your profile regularly

Your profile shows the comments in which you have been referenced (mentions), your private messages, any trusts you receive and your public API key. Do not forget to visit it regularly.

Retrieve your API key

Becoming a VirusTotal Community member gives you the right to a public API key. This key can be used to automate file and URL scans, as well as comment posting. Your public API key can be retrieved through the corresponding tab in your profile once you have signed in:

You may read more about how to use this key by referring to the public API documentation.

Build VirusTotal Community reputation

Many users ask how they can obtain VirusTotal Community reputation credits. Currently, there are two ways to build reputation:

• Be trusted: whenever another VirusTotal Community member trusts you, 10% of his reputation credits are added to your account (without subtracting them from his). At the same time, if anyone is to remove his trust on you, you would be subtracted 10% of his credits. Very often, users will trust you if they come across your file and URL reviews and they consider them useful.
• Receive usefulness votes for your comments: whenever a user votes one of your file or URL comments as useful you receive 10 reputation credits. On the other hand, if one of your comments is voted as not useful you loose 10 reputation credits. Hence, once again, the best way to build up reputation is to make interesting file and URL reviews.

In the future we might introduce other factors for bulding up reputation, we are always open to suggestions, so do not hesitate to contact us if you have a good idea for earning reputation credits.

Source: https://www.virustotal.com