Apply the magic of YARA to VirusTotal's live flux of samples as well as back in time against historical data in order to track evolution of certain threat actors, malware families that interest you and automatically generate IoCs to protect your organisation.
Get notified whenever your YARA rules match, receive in-depth information for your matches and download the pertinent files for further offline study.
YARA rules uploaded to Malware Hunting are applied to all files sent to VirusTotal from all around the world, live. Whenever there is a rule match you get an immediate notification. Notifications can be viewed via the web interface, email alerts or retrieved through a REST API.
Build programmatic workloads that combine this capability with other VT Enterprise features such as sandboxing or static analysis in order to generate a feed of indicators of compromise to power-up your security defenses.
Create a YARA rule and apply it back in time to the existing dataset in order to discover early versions attacks that you might have recently discovered. Understand how an attacker has evolved over time.
Files matching your rules can be downloaded for further offline study, the entire process can be automated with a REST API.
A simple click transfers all retrohunt matches into VT GRAPH in order to visually lay out a threat campaign in a nodes graph, allowing you to understand commonalities and threat infrastructure.
Filter out the noise from VirusTotal's file uploads, focus on malware families that target you, download every new variant and pump them into your dedicated analysis infrastructure.
Condition terms can rely on hexadecimal strings, text strings or regular expressions.
String counting, string offsets or virtual addresses, match length, file size, executable entry point, data at a given position, iteration, etc.
Leverage te power of certain modules such as the PE or Cuckoo modules in order to combine file content specific rules with behavior or structural conditions.
Add conditions that are exclusive to the data generated by VirusTotal for a file, e.g. tags, antivirus detections, etc.
First seen and last seen dates, number of submissions, submission file names, submission countries, submission dates, ciphered submitter identifier, submission interface, number of distinct submitters, etc.
Sigcheck, packer information, PE structure, Exif attributes, ELF structure, package contents, OLE VBA Macro code stream, suspicious PDF properties, embedded file icons, etc.
Behavior characterization through sandbox execution for major operating systems: Windows, Android, OS X and Linux.
All reports on a given sample, not only the latest snapshot. Understand how threat detections evolve over time, discover the in-the-wild lifespan of malware.
Partner tools contribute rich end-user PC metadata to our dataset, e.g. Windows registry keys in which an executable is registered for autolaunch upon reboot, creation date on end-user machine, full name and path of the file.
Goodware index, VirusTotal Community voting, aggregation of publicly available goodware databases as well as legitimate software whitelisting details shared by top partners and ingested from VirusTotal Monitor.
Files submitted from 232 unique ISO country codes, which includes almost 3M distinct sources in the last year.
198,000 clusters generated per day during an average month. About 35% of all files with a feature hash are clustered in the top 200 collections.
Over 100 identified file types seen per day, on average. Examples: Win32 DLL, Win32, EXE, HTML, Java Bytecode, Android, PDF, Text, Mach-O, ZIP, PNG, XML, MS Word, JPEG, ELF, RAR, Office Open XML, C++, C, GZIP, JAR, DOS, EXE, MS Excel, MP3, Python, 7ZIP, Windows, GIF, Email
More than 400M files with origin information; more than 100M portable executables from distinct URLs; more than 200M files with rich telemetry data; more than 5M emails for rich contextual information.
Many files with strong signals to help security researches identify malware
Approximately 300k per day are distinct and detected by more than 5 URL scanners
Files included for download, with all raw data available. Feed includes rescans of files with updated information
With the data security, reliability and computation power of the Google infrastructure