VirusTotal is one of the fastest ways to inspect files, URLs, IP addresses, and domains for security signals.
This guide explains how to check results in VirusTotal and, more importantly, how to read the report without overreacting to every detection.
The interface is easy to use, but the real value comes from understanding what the scan data means, which signals matter most, and when a result deserves deeper investigation.
What VirusTotal does
VirusTotal is a threat intelligence and analysis platform owned by Google that aggregates detection results from dozens of antivirus engines, URL scanners, sandbox tools, and reputation sources.
It does not “decide” whether something is malicious in the same way a human analyst would; instead, it surfaces signals that help you make that judgment.
You can use VirusTotal to analyze:
- Files such as documents, executables, and archives
- URLs and web pages
- Domains and subdomains
- IP addresses
- Hashes, including SHA-256, MD5, and SHA-1
This makes it useful for incident response, malware triage, phishing checks, and general reputation research.
How to check results in VirusTotal
To check results in VirusTotal, visit VirusTotal and upload a file, paste a URL, or search for a hash, domain, or IP address.
After submission, VirusTotal generates a report that summarizes detections, relationships, metadata, and historical context.
- Open the VirusTotal website.
- Choose the type of item you want to inspect: file, URL, domain, IP, or hash.
- Submit the sample or paste the identifier.
- Wait for the analysis page to load.
- Review the detection summary, vendor names, community signals, and additional tabs.
If you are checking a file, VirusTotal may show the analysis immediately if it has seen the sample before.
If the file is new, it may start a fresh analysis using available engines and behavioral tools.
How to interpret the detection ratio
The most visible part of a VirusTotal report is the detection ratio, such as 3/72 or 18/95.
This shows how many engines flagged the sample out of the total number scanned.
That ratio is useful, but it should never be read in isolation.
A low number of detections may still be meaningful if the engines are reputable and the detections use consistent malware family labels.
A high number of detections is more concerning, especially if the file also shows suspicious behavior or malicious relationships.
When reading the ratio, consider the following:
- Which engines detected it
- Whether detections cluster around known vendors with strong reputations
- Whether the names point to the same malware family
- Whether the file has additional suspicious metadata or behavior
A single generic warning from one engine is often less persuasive than multiple aligned detections from well-known vendors such as Microsoft, Kaspersky, Bitdefender, ESET, or Sophos.
What the summary section tells you
The summary area usually gives a quick overview of the object being analyzed.
For a file, you may see the filename, size, file type, hash values, first submission date, and last analysis date.
For a URL or domain, you may see registrar information, redirects, resolved IPs, and hosting details.
These fields help you answer basic questions:
- Is this a known sample or a newly observed one?
- Does the file type match the file name?
- Has the sample been uploaded before?
- Does the domain appear recently registered or suspiciously aged?
Hash values are especially important because they let you search for an exact binary or compare a sample with known threats in other tools and threat feeds.
How to read vendor detections
Each detection line usually includes the antivirus vendor and the name it assigned.
These labels can vary widely.
One engine may call a sample Trojan.Generic, while another names the same file after a malware family or behavior pattern.
Focus on patterns rather than isolated names.
If several vendors identify a file as a downloader, backdoor, or banking trojan, the result deserves more attention than a lone heuristic hit.
If the alerts are inconsistent, vague, or centered on a single low-reputation engine, the sample may be a false positive or a low-confidence detection.
Helpful questions to ask:
- Are the detections consistent across multiple engines?
- Do the labels indicate known malware behavior?
- Are the engines well established and widely trusted?
- Does the sample show signs of packing, obfuscation, or exploitation?
What the Behavior tab reveals
When available, the Behavior tab is one of the most valuable parts of a VirusTotal report.
It may show sandbox execution results such as dropped files, registry changes, network connections, spawned processes, and mutex creation.
These behavioral indicators matter because malware often hides its intent from static scanning.
A file that looks harmless at first glance may still attempt persistence, inject into another process, contact a command-and-control server, or modify security settings.
Look for signs such as:
- Suspicious child processes
- Encoded or encrypted network traffic
- Persistence through scheduled tasks or registry run keys
- File drops in temporary or system directories
- Connections to known malicious infrastructure
If behavior data is present and clearly malicious, it can outweigh a modest or ambiguous detection ratio.
How to use the Relations and Graph views
VirusTotal often includes relationship data that connects a file, URL, domain, or IP to other artifacts.
This can show which domains a file communicates with, what files are associated with a given domain, or what URLs are embedded in a document.
The graph or relations view helps you move from a single sample to a broader threat picture.
That is useful for investigating phishing campaigns, malware loaders, and infrastructure reuse.
Pay attention to:
- Shared hashes and repeated filenames
- Infrastructure connected to other suspicious samples
- Redirect chains leading to malicious content
- Domains that host multiple related payloads
These links often reveal whether an object is part of a larger campaign rather than an isolated event.
How to tell if a result may be a false positive
False positives are common in security scanning, especially for compressed files, administrative tools, scripts, and software bundlers.
A result may be suspicious without being truly malicious.
Signs that a detection may be a false positive include:
- Only one or two engines detect the file
- Detection names are generic or heuristic-based
- The file is a well-known legitimate tool
- There is no suspicious behavior or network activity
- The file comes from a trusted publisher and matches expected hashes
At the same time, do not dismiss an alert too quickly.
Attackers often abuse legitimate-looking tools, scripts, and signed binaries to reduce suspicion.
How to check file reputation safely
If you are checking a file in VirusTotal, use the report to assess reputation, not just detection.
Reputation combines detection data, community observations, prevalence, and historical activity.
A sample that is rare, newly uploaded, and linked to suspicious network activity is more concerning than a widely used application with one generic alert.
For better judgment, compare the file against:
- Known-good hashes from the vendor or publisher
- Digital signatures and certificate details
- File path and expected software location
- Community comments and threat intelligence notes
Be cautious with files that are unsigned, recently created, heavily obfuscated, or distributed from untrusted sources.
How to check URLs, domains, and IP results?
VirusTotal is not limited to files.
URL, domain, and IP reports are especially useful in phishing and infrastructure analysis.
URL reports may show redirects, page screenshots, and linked content.
Domain and IP reports may show passive DNS data, hosting history, certificate information, and associated malware.
When reviewing these records, check whether the domain is newly registered, has been used in spam or phishing, or resolves to infrastructure already associated with malicious campaigns.
If the URL is part of a redirect chain, inspect each hop, because the final destination may be hidden behind several benign-looking steps.
Best practices for accurate interpretation
To get the most value from VirusTotal, use it as part of a broader workflow rather than a standalone verdict engine.
Combine its results with endpoint logs, malware sandboxes, certificate checks, WHOIS data, and vendor intelligence.
- Look beyond the detection ratio and review the full report
- Check whether detections are consistent across reputable vendors
- Review behavior, relations, and metadata
- Compare hashes and digital signatures against trusted sources
- Treat low-confidence heuristics carefully
- Escalate samples with suspicious network activity or persistence behavior
Used this way, VirusTotal becomes a practical triage tool for analysts, IT teams, and security-conscious users who need fast answers backed by context.
Knowing how to check results in VirusTotal is less about spotting a red warning and more about understanding what the report is telling you.
The strongest assessments come from combining detections, behavior, and relationships into a clear security judgment.