VirusTotal
Scan suspicious files and URLs against 70+ antivirus engines before opening them.
What should journalists know about VirusTotal?
VirusTotal is the default tool for checking whether a file or URL is malicious. It scans against 70+ antivirus engines simultaneously — far better coverage than any single product. But the privacy trade-off is severe and poorly understood. Every file you upload to the free tier is stored permanently, shared with VirusTotal's antivirus partners, and made downloadable by any premium subscriber. That includes intelligence agencies, security firms, and potentially the very threat actors you're investigating — sophisticated adversary groups actively monitor VirusTotal for submissions of their tools to track who's analyzing them. In July 2023, a VirusTotal employee accidentally uploaded a CSV containing names and emails of 5,600 premium customers, including personnel from the FBI, NSA, US Cyber Command, and German federal police. The file was downloaded before removal. Google owns VirusTotal through its Google Cloud security division (formerly Chronicle). For journalists: use hash lookups and URL checks freely. Never upload a file a source sent you. If you must analyze a suspicious file, use the SHA-256 hash lookup first — it checks whether anyone else has already submitted the same file without exposing your copy.
Checking suspicious email attachments before opening. Verifying whether a URL is known-malicious. Looking up file hashes (SHA-256) without uploading the file itself. Validating threat intelligence claims before publishing.
Scanning confidential or sensitive documents — uploaded files are permanently stored and shared with 70+ vendors and premium subscribers. Replacing endpoint antivirus. Anything where you need to keep the file private. If you need private sandboxed analysis, look at ANY.RUN, Joe Sandbox, or Hybrid Analysis instead.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Every file uploaded to VirusTotal is shared with antivirus vendor partners who are contractually bound to use samples for internal security purposes only. But premium subscribers can also download submitted files. URLs, file hashes, and scan metadata are logged. Submitted files cannot be reliably deleted — VirusTotal's own FAQ acknowledges removal requests but makes no guarantees. Private Scanning (enterprise paid tier) prevents third-party sharing, but only if the file hasn't also been uploaded through the standard service. Google's privacy policy applies to account data.
How to protect yourself:
Never upload confidential source documents. Use SHA-256 hash lookups instead — this checks whether the file is already in VirusTotal's database without exposing your copy. Check URLs by pasting the link, not by uploading page content. If you must analyze a sensitive file in a sandbox, use Private Scanning (paid) or a local sandbox tool like Cuckoo. Be aware that threat actors monitor VirusTotal submissions — uploading a file can tip off the sender that you're investigating it. Use a VPN and avoid scanning from identifiable accounts when checking files related to active investigations.
Strong scanning coverage across 70+ engines — best-in-class for multi-engine file and URL analysis. The privacy model is the weak point: free-tier uploads are permanently stored and shared with vendors and premium subscribers. The 2023 customer data leak demonstrated operational security gaps. Google ownership provides infrastructure reliability but means Google's data practices apply to account data. Rating stays 'adequate' because the tool works exactly as designed — the risk is users not understanding what 'upload' means here.
Who Owns This
Known issues
July 2023 data leak: A VirusTotal employee accidentally uploaded a CSV file containing names and email addresses of 5,600 premium customers to the platform itself. Exposed organizations included the FBI, NSA, US Cyber Command, US Department of Justice, German federal police, and intelligence agencies from the Netherlands, Taiwan, and the UK. The file was live for about an hour and was downloaded before removal. VirusTotal attributed it to human error and implemented new internal controls. Separately: uploaded files are permanently stored and accessible to premium subscribers, creating a persistent risk that sensitive documents submitted by mistake cannot be fully retracted. Adversary groups are known to monitor VirusTotal for submissions of their custom malware, using these uploads as intelligence about which organizations are investigating them.
Pricing
Free for individual scans (web interface, 500 API requests/day at 4/minute). VirusTotal Premium starts around $20,000-$50,000/year depending on API volume and seats. Enterprise tiers with Private Scanning run into six figures.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.