VirusTotal is a valuable resource for checking the verdict on file samples and URL's. Although the service offers a variety of benefits, it should never be the sole trusted resource for conducting analysis, especially in the context of a live incident response operation:

For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives.

Any cyber security analyst worth their salt knows to cross-reference across multiple tools. VirusTotal is merely one of many useful tools for determining authenticity of files and URL's, but is not a one-stop shop to be unequivocally trusted. Any incident response playbook leveraging free applications like VT should contain multiple tools, whether on-site or cloud-based, for analysis.

The same can be said for Hybrid-Analysis. It is a wonderful tool, most often extremely capable of determining whether or not a sample is malicious. It is not infallible, and therefore because it is a free service should be used in conjunction with other free services. Based on an aggregate score across multiple tools, and the context around the threat, defenders and analysts can take appropriate actions.

Show Comments