How to Scan a File with VirusTotal
VirusTotal is one of the most widely used malware analysis services for checking suspicious files, URLs, domains, and hashes against dozens of security engines.
If you want to know how to scan a file with VirusTotal, the process is straightforward, but understanding the results is what helps you make safer decisions.
This guide explains how to upload a file, review detections, and interpret the signals that matter most, including file hashes, sandbox behavior, and vendor verdicts.
What VirusTotal does
VirusTotal aggregates analysis from multiple antivirus and security vendors, plus additional reputation and behavior signals.
Instead of relying on a single scanner, you get a broader view of whether a file appears malicious, suspicious, or likely clean.
It is especially useful for:
- Checking unknown downloads before opening them
- Verifying email attachments
- Inspecting scripts, installers, and documents
- Looking up hashes from security alerts
- Comparing detections across vendors
How to scan a file with VirusTotal
To scan a file, go to the VirusTotal website and use the file upload area on the homepage.
The service will calculate a hash, compare the file against its database, and run it through participating engines and analysis systems.
Step 1: Open VirusTotal
Visit VirusTotal in your browser.
You do not need to install software for basic scanning, and the web interface is designed for quick lookups.
Step 2: Upload the file
Click the file upload option and select the file you want to check.
Common file types include EXE, DLL, DOCX, PDF, ZIP, APK, JS, and other documents or archives that may contain threats.
When the upload begins, VirusTotal may display the file name, size, and hash values such as MD5, SHA-1, and SHA-256.
The SHA-256 hash is the most useful identifier for matching a file exactly.
Step 3: Wait for analysis
VirusTotal may return results almost instantly if the file has been analyzed before.
If the file is new, it may take longer while the service processes it and gathers detection data from security engines and behavioral systems.
Step 4: Review the detection summary
The summary page typically shows how many engines flagged the file and how many considered it clean.
A small number of detections does not always mean the file is malicious, but it is a strong signal to investigate further.
How to interpret VirusTotal results
Reading the results correctly is just as important as uploading the file.
A detection name from one vendor may reflect generic heuristics, while multiple consistent detections from well-known vendors usually deserve more attention.
Pay attention to detection ratio
A result like 1/70 or 2/70 may indicate a false positive, especially for uncommon software or packed installers.
A result like 25/70 is a much stronger indicator of malicious content.
The ratio alone is not proof, but it helps you gauge risk quickly.
Check which vendors flagged it
Some security vendors have strong reputations for malware research and broad telemetry.
Look for agreement across multiple engines rather than relying on one alert.
If only one obscure engine detects malware while major vendors do not, the file may be benign or simply unusual.
Review file metadata and behavior
VirusTotal often shows metadata such as timestamps, signatures, dropped files, contacted domains, and embedded strings.
These details can reveal whether a file tries to persist on a system, reach external servers, or unpack additional payloads.
Look at relationships and associations
Files may be linked to domains, IP addresses, URLs, or other samples.
This is helpful in threat hunting because a single suspicious file often connects to a larger campaign or malware family.
What file types can you scan?
VirusTotal supports many file formats, but what you can upload may depend on file size limits and service rules.
Typical examples include:
- Windows executables and libraries
- Office documents and PDFs
- Scripts such as JavaScript or PowerShell-related files
- Mobile app packages like APKs
- Archives such as ZIP, RAR, and 7z
- Shortcuts, installers, and compressed payloads
If a file is inside an archive, the archive contents may be analyzed depending on the structure and service policies.
Password-protected archives are often a special case because the scanner cannot inspect encrypted contents without the password.
Best practices before uploading a file
Before you scan a file with VirusTotal, consider whether the file contains sensitive data.
VirusTotal is a public platform, and uploaded files can be accessible to the security community unless handled through private or enterprise options.
- Do not upload confidential internal documents without approval
- Remove personal data if possible
- Use hashes when only identification is needed
- Prefer private scanning options for sensitive investigations
If your goal is to identify a known sample, searching by SHA-256 hash can be safer than uploading the file again.
This is common in incident response workflows and security operations centers.
Using hashes instead of uploading a file
VirusTotal allows you to search by hash, which is often the fastest way to check whether a file has already been analyzed.
This is useful when a file is too large, unavailable, or sensitive.
To use this method, copy the SHA-256 hash from the file and enter it into VirusTotal’s search field.
If a result exists, you can review historical detections, behavior reports, and related artifacts without uploading the sample again.
Common mistakes when using VirusTotal
Many users misread the platform by treating any detection as definitive proof of malware.
In practice, analysis requires context, especially when software is new, packed, or digitally signed.
- Assuming one detection equals malware
- Ignoring the reputation of the detecting vendor
- Overlooking file signatures and metadata
- Uploading sensitive material without checking privacy implications
- Not comparing the hash against known-good sources
When to escalate the result
If a file has multiple detections, suspicious behavior, unusual network connections, or links to known malware infrastructure, it should be escalated for deeper analysis.
Security teams often combine VirusTotal findings with endpoint logs, sandbox tools, EDR alerts, and threat intelligence.
Escalation is also appropriate when a file is unsigned, recently created, heavily obfuscated, or part of a phishing campaign.
In these cases, the VirusTotal report becomes one input among several, not the final decision.
VirusTotal in a security workflow
In real-world security operations, VirusTotal fits into a broader triage process.
Analysts may start with an email attachment, extract the hash, check the detection history, inspect behavior, and then correlate the sample with endpoint telemetry or network indicators.
This workflow helps teams separate benign software from genuinely dangerous malware such as trojans, ransomware loaders, stealers, and droppers.
It also speeds up incident response when the same artifact appears across multiple alerts or user reports.
How to make the most of VirusTotal scans
Use VirusTotal as a fast, high-signal triage tool rather than a standalone verdict engine.
The best results come from combining detection counts, vendor reputation, behavioral indicators, and file context.
- Scan by hash when possible
- Upload cautiously and avoid sensitive files
- Compare multiple vendor detections
- Review metadata, behavior, and related indicators
- Escalate suspicious findings for deeper analysis
For anyone learning how to scan a file with VirusTotal, the key is not just clicking upload.
It is understanding what the platform reveals, what it cannot prove, and how to use its results to make faster and safer decisions.