August 2023 ~ VirusTotal Release Notes

Monday, August 21, 2023

Subscription invoices directly in your inbox. VirusTotal is continually maturing on the platform maturity front, following our work on SSO/SAML and service accounts, we continue to improve beyond security controls and into other enterprise readiness areas. If you are paying VirusTotal Enterprise via credit card, you can now provide a list of email addresses in your VirusTotal Group settings page and the corresponding invoices will be emailed to those accounts in addition to being displayed in the “Invoices” tab of your VirusTotal Group profile.

Personal YARA rule matches now showing up on file reports as tags. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your IoC Stream. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports.

File storage regionalization for VT Private Scanning. VirusTotal Private Scanning allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended VT Private Scanning to support file storage regionalization, users can now choose between the US and the EU.

VT Private Scanning “Inconclusive” verdict has been renamed to “Undetected”. VT Private Scanning does not leverage the multi-antivirus setup, but does emit opinionated verdicts about the maliciousness of files based on a multi-layered approach including sandbox detonation observations, YARA rule matches, static analysis and other advanced analysis components. We have renamed the “Inconclusive” verdict to “Undetected” as it was generating some confusion. This verdict indicates that there are no clear signs of maliciousness.

VT HUNTING Livehunt for network indicators, one-click wizards. Last week we announced the rollout of VT Hunting Livehunt for network indicators, which extends Livehunt’s matching capabilities to cover domains, IP addresses and URLs. This allows analysts to discover new artifacts and infrastructure tied to a known campaign, unearth new infrastructure being leveraged by popular malware toolkits, perform attack surface management, identify phishing campaigns against their organizations, etc. We’ve published a second post focusing on one-click “IoC follow” actions that automatically create Livehunt rules to receive timely updates about new activity related to IoCs that you may be investigating.

Crowdsourced AI += NICS Lab. We’ve extended our Crowdsourced AI initiative with a generative AI model from a research group of the Computer Science Department at the University of Malaga. The new model processes PowerShell files, not only strengthening our collective understanding of the code and its behavior, but also providing verdicts on the potential threat level of each file - categorizing them as malicious, suspicious, or benign. See example.

Keeping state around expansions and contractions of Behaviour sections. VirusTotal does not only run multiple antivirus/EDR solutions on files, it also brings together multiple sandbox dynamic analysis setups. These days we aggregate over 15 sandboxes covering 4 major operating systems (Windows, Linux, Android, OS X) and producing insights such as created/deleted files, registry keys set, contacted domains, synchronization mechanisms, etc. The output of these sandboxes is displayed in the Behavior tab of file reports. The information displayed in this tab is extremely exhaustive, we acknowledge that some users may only be interested in certain sections such as network communications. In order to improve relevance and discoverability, we are now storing state around section header contractions and expansions. This provides a personalized experience whereby upon loading new file reports users see the information that they deem important first.

Flags for users with active 2FA authentication and corresponding search filters. VirusTotal has been continually maturing on the enterprise readiness front, following our work on SSO/SAML or service accounts, we continue to improve security controls. Group administrators now see a “2FA” badge next to users with active two-factor authentication in group user listings. Similarly, administrators can also filter those listings to focus on users that have or do not have active 2FA.