VirusTotal Intelligence allows you to search through our dataset in order to identify files that match certain criteria (antivirus detections, metadata, submission file names, file format structural properties, file size, etc.). We could say that it is pretty much like the "Google" of malware.

In order to ease the use of the application we have classified the search queries and modifiers into the following categories, you can combine any number of them in the same query, moreover, you can use AND, OR and NOT operators to tweak your searches.

Searching by hash

To search for a file that has a given md5, sha1 or sha256 just type in the hash under consideration in the main search box. Example, searching for the file with md5: 12602de6659a356141e744bf569e7e56 .

If you have a list of hashes (e.g. exported from some other application), with independence of the type of hash (md5, sha1 or sha256) and whether they are mixed, and you want to search for all of them at the same time you should refer to the search for hashes feature at the main landing site. You just have to paste your hashes and click on the search button.

Searching by antivirus detections

The main search box also allows you to specify a full or partial malware family name ( Backdoor.Win32.PcClient!IK , Sality , Mydoom.R ), or any other text you want to find inside the antivirus reports. However, this kind of search will look at all indexed fields for the file, it will not only focus on the antivirus results. In order to focus exclusively on the antivirus results (no matter which particular engine produced the output), you should use the engines prefix. For example: engines:"Trojan.Isbar" or engines:"zbot".

If you are looking for files detected by some specific antivirus vendor you can make use of vendor prefixes. These prefixes should preceed your keyword in order to restrict the scope of the search to a particular antivirus solution, for example: symantec:infostaler, mcafee:rahack , f_secure:virut.

By using vendor prefixes you can also search for all files detected by a given vendor, independently of the malware name. To do this you must write the vendor prefix followed by the special keyword infected, e.g. nod32:infected. In this case the word infected does not necessarily have to be present in the antivirus signature, it is just indicating that the file must be detected. Similarly, you can list all files not detected by some antivirus by using the keyword clean. For example: nod32:clean.

This is the full list of allowed vendor prefixes:

Search modifiers

There are a set of special terms that you can use to refine your search results. For example, you can take advantage of the term positives:5+ to get files detected by five antivirus solutions or more. If you want to get those detected by ten engines or less you can use positives:10-. Specifying the number without any trailing plus or minus sign you will retrieve those detected exactly by the given number of engines, i.e. positives:7. These terms can be used more than once in the same query, for example positives:20+ positives:30- will return any file detected by a number of engines in the range 20-30.

The following table details the full list of available search modifiers along with the type of file on which the modifier can act. Please note that all these modifiers can be combined together and used in conjunction with the search modalities described above .