Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can VirusTotal detect runtime malware?

  • Please log in to reply
2 replies to this topic

#1 Fred9e


  • Members
  • 2 posts
  • Local time:10:23 AM

Posted 11 November 2016 - 02:27 PM

Some malware can bypass antivirus scan, encrypt itself when run then decrypt in memory. Can VirusTotal catch this? You see people telling you there's no need for an antivirus if you scan everything on VirusTotal, what if the malware can bypass VirusTotal scan but not the runtime?

BC AdBot (Login to Remove)


#2 Struppigel


    Karsten Hahn, G DATA Malware Analyst

  • Malware Response Team
  • 231 posts
  • Gender:Male
  • Local time:11:23 PM

Posted 11 November 2016 - 04:28 PM

Yes and no.


VirusTotal uses the scanning engines of several antivirus products. The scanning engine is the heart of an AV product, but there is much more than that to secure a system.

Good AVs take care that your system is up-to-date, monitor your system, e.g., for odd behaviour of programmes and block them if necessary, change settings to more secure ones, monitor browsers for injections and exploits, prevent autoexecution of removable media, etc. None of this can be done using VirusTotal.


Most malware nowadays is packed and decrypts only in memory. The scanning engines can detect those files, they have generic unpacking techniques, specific unpackers, emulation as well as the possibility to detect the stub of the packer. It is an arms race in who has the most advanced techniques to either detect or evade detection.


So the answer is, yes the engines on VirusTotal can detect packed malware, but not always, and Antivirus products do much better if not only the engine is used but the whole product.

Edited by Struppigel, 11 November 2016 - 04:30 PM.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,075 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:23 PM

Posted 11 November 2016 - 04:35 PM

Here is some information about VirusTotal and what it does and does not do.

At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:

  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.
VirusTotal FAQs

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners...VirusTotal...a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect...Very often antivirus solutions and URL scanners will produce false positives...VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use off. False positives should be dealt with the developer/company that offers the product generating the erroneous detection...VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions...

About VirusTotal
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users