To view VirusTotal reports from the alert center, a Super Administrator needs to assign you the Alert Center > Full access > View VirusTotal Reports privilege. Administrators must also have one of the following Google Workspace editions: Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. VirusTotal reports provide many crowdsourced details on why a domain, file attachment, or IP address might be considered risky. (For more details, see the VirusTotal website.)
You can directly access VirusTotal reports from the alert details page in the alert center. This enables you to gain threat context and reputation data relevant to a specific alert. For example, a VirusTotal report might show you that multiple security vendors have flagged a specific domain as malicious.
- VirusTotal is not used to produce security alerts, nor is it used to detect malware or other security threats. VirusTotal expands on alert details by providing further security insights, and by assisting you in decision making as you address security concerns.
- Data (domains, IP addresses, or file attachment hashes) is only shared to VirusTotal after your admin selects to view the VirusTotal report. No data is otherwise shared.
- VirusTotal data is shared with the broader security community. This enables security vendors to collaborate with each other, share important details, and take action to fight security threats.
- You can also view VirusTotal reports from the security investigation tool to gain additional security insights related to email attachments. For details, see View VirusTotal reports from the investigation tool.
View VirusTotal reports
To view VirusTotal reports from the alert details page:
In the Admin console, go to Menu SecurityAlert center.
- To view more details, click a specific alert to open the alert details page.
- In the Key details or messages section, click View VirusTotal Report.
This option is available for alerts that contain domains (typically part of the actor’s email address, IP addresses, or file attachment hashes).
The VirusTotal report includes multiple sections with details about potential security threats. For example, you can view a list of security vendors that have flagged a file as malicious, and also view file scanning results for each of these vendors.
Standard and Enhanced versions of VirusTotal reports
The VirusTotal report has two versions: Standard and Enhanced. The Standard version is displayed for admins who have the alert center privilege, and who have one of the required Google Workspace editions. The Enhanced version is automatically displayed for paid VirusTotal subscribers who have an active virustotal.com login session with their VT Enterprise user account.Features included in the Standard version
The Standard version of VirusTotal reports includes the following:
- Observable identification—Identifiers and characteristics allowing you to reference the threat and share it with other analysts (for example, file hashes).
- Threat reputation—Maliciousness assessments coming from 70+ security vendors, including antivirus solutions, security companies, network blocklists, and more.
- Threat time spread—Key dates that enable you to understand when a given threat was first observed in-the-wild and how long it’s been active.
- Domain/IP Whois lookup—Registrar and registrant details for domains, as well as ownership and network range information for IP addresses.
- Domain and server security-relevant metadata—HTTPS certificates for web servers, DNS resolution records, and web server HTTP headers.
The Enhanced version of VirusTotal reports includes the same features provided in the Standard version plus the following:
- Multi-angular detection—Additional threat analysis coming from crowdsourced rule matches and community scoring (for example, YARA, Sigma, and IDS rules).
- Related indicators of compromise (IOCs)—Examples of IOCs include a network infrastructure distributing a malware file, servers acting as a command-and-control for a given threat, malicious URLs seen under a given domain, domains seen behind a given IP address, and more.
- Interactive threat graph—Graphical format that maps out entire threat campaigns by visualizing the relationships between IOCs.
- Security-relevant metadata—Includes software publisher information, identification of malicious macros in documents, popularity ranks for domains, domain content categorization, and more.
- In-the-wild details—Geographical and time-spread details for threats, common attacker deception techniques, and more, through VirusTotal submission metadata.
- Suspicious attribute pivoting—Clickable details in VirusTotal reports, allowing you to explore the global VirusTotal dataset for other threats that share the same properties.
Benefits and use cases for the Enhanced version
- Improved threat detection—Leverage crowdsourced rules to pinpoint and gain context on threats even when they aren’t yet widely known to security vendors.
- Expedited investigations and decision making—Increase your security team’s efficiency by complementing internal-only sightings with crowdsourced context. Adversaries target other organizations, too, and their footprints surface in VirusTotal—and this helps complete the picture for your security team. With the Enhanced version of VirusTotal reports, discarding false positives and confirming and escalating true positives is significantly faster.
- Improved threat remediation—Use the interactive threat graph and related artifacts to identify IOCs tied to a pertinent alert, and use them to fully understand the impact of an attack on your organization by searching through your security telemetry. For example: Did VirusTotal see any malware files downloaded from a domain in one of your alerts? If yes, have any of those hashes been seen in your network?
- Proactive defense strategy—You can pivot into VT Enterprise and identify threat infrastructure that might not have surfaced in your logs. Or you can identify other malware operated by the same threat actor, and block this malware in your network perimeter and endpoints before it impacts your organization. For example: Pivot to other domains registered by the same threat actor that may not have been leveraged in a campaign yet, and then preventatively block those domains in case they are eventually leveraged against your company.
Sign up for a VT Enterprise account
As described above, VirusTotal reports can include additional threat intelligence services and advanced features with the Enhanced version of VirusTotal reports. For more details, and to sign up for VT Enterprise, reach out to the VirusTotal team.
VirusTotal is an Alphabet product that analyzes suspicious files, URLs, domains and IP addresses to detect malware and other types of threats, and automatically shares them with the security community.
To view VirusTotal reports, you’ll be submitting file attachment hashes, IP addresses, or domains to VirusTotal.
Common questionsIs there any additional cost for using the Standard version of VirusTotal reports?
No. The Standard version of VirusTotal reports is available to administrators who have the alert center privilege and who use one of the following editions: Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus.
If you want to enhance the experience and improve your decision making and investigative capabilities through advanced threat context and reputation, you need a paid VT Enterprise subscription.
Yes. If you have a paid VirusTotal subscription, also known as VT Enterprise, you’ll see enhanced results within the alert center without any impact to your VirusTotal quota. Quota is only used when opening virustotal.com pages.
Yes. With VT Enterprise, you can implement other use cases particularly relevant for security operations centers, computer emergency response teams, incident response teams, and threat intelligence units:
- Automated security telemetry enrichment—This includes alert triage, false positive discarding, true positive confirmation, and confidence correlation.
- Incident response and forensic analysis—This includes security operations alert triage, incident analysis and context, artifact discovery, and IOC identification.
- Threat intelligence and advanced hunting—This includes unknown threat discovery, threat campaign monitoring, adversary tracking, preventative IOC identification, threat landscape exploration, and situational awareness.
- Anti-phishing, antifraud, brand, and corporate infrastructure monitoring—This includes phishing campaign tracking, banking trojan and info-stealer dissection, brand impersonation monitoring, malware distribution, and corporate infrastructure abuse identification.
- Red teaming and ethical hacking—This includes reconnaissance and passive fingerprinting, breach and attack simulation, and security stack validation.
- Vulnerability prioritization—This includes smart risk-driven patching strategies, in-the-wild vulnerability weaponization monitoring, and threat actor to vulnerability exploitation mapping.
No. All functionality is based on your admin selecting to view the VirusTotal report. Only after your admin performs this action are the file hash, domain, or IP address shared to VirusTotal to request the risk assessment report on the entity selected.
No. Opening VirusTotal reports within the alert center doesn’t use any of your VT Enterprise quota. If an admin opens the VirusTotal website to do more research from the alert center, that would count towards standard quota usage in the same way as directly visiting virustotal.com.
No. Only file hashes are sent to VirusTotal.
No. Only the domain portion of the email address is sent to VirusTotal.