What is the maximum file size for VirusTotal scanning?

VirusTotal accepts files up to 650 MB via the free web interface. Files larger than this require a paid API subscription.

Is it safe to upload files to VirusTotal?

Files you upload become public and are accessible to security researchers and platform subscribers. Never upload files containing personal data, passwords, API keys, or confidential source code. Use a SHA-256 hash lookup instead if privacy matters.

Web & Dev Tools 5 min read

How to Scan a File for Malware — Guide

Q: Does VirusTotal replace my antivirus?

No. VirusTotal is a second-opinion tool for suspicious files and does not provide real-time protection. An up-to-date antivirus remains essential for everyday use.

Q: How long does a malware scan take?

For previously scanned files results appear instantly from cache. For new files, analysis by 70+ engines typically completes in 30–90 seconds.

When to scan a file, how to read VirusTotal results, what false positives are and what to do when a threat is found.

What Is Malware?

The term malware (malicious software) covers any software designed to damage, steal data, or gain unauthorized access to a system. The categories are not mutually exclusive — a single file can combine traits from several:

Virus: Self-replicates by injecting code into other files. Requires human action (executing a file) to spread.
Trojan: Appears legitimate but hides malicious functionality — opens a backdoor, downloads additional malware, or steals credentials.
Ransomware: Encrypts your files and demands payment for decryption. One of the most destructive categories for both businesses and individuals.
Spyware: Silently collects user data (keystrokes, passwords, browsing history, screenshots) and sends it to third parties without the victim's knowledge.

Beyond these, there are worms (spread automatically across networks), rootkits (hide their presence inside the operating system), and adware (display unwanted advertisements).

How VirusTotal Works

VirusTotal is a free online service that submits an uploaded file to 70+ antivirus engines simultaneously and returns results within seconds. Owned by Google (Alphabet) since 2012, it is the industry standard for quickly analysing suspicious files.

Each engine uses a different detection methodology:

Signature detection: Compares the file against a database of known malware signatures maintained by each vendor.
Heuristic analysis: Detects suspicious code structure or behavior patterns even for unknown (zero-day) threats.
Community & behavioral data: Files are executed in a sandbox; network calls, registry changes, and filesystem activity are all recorded.

Note: if a file has already been analysed recently, VirusTotal returns a cached result. For guaranteed fresh results, you can request a re-analysis.

Which Files Should You Scan?

Not every file needs scanning — focus on those that have access to your system or data:

Executables: .exe, .dll, .msi, .com — the most common infection vector on Windows.
Archives: .zip, .rar, .7z, .tar.gz — frequently used to conceal malicious content.
Documents: .doc, .docx, .xls, .pdf — can carry macro viruses or exploit code.
Scripts: .js, .ps1, .vbs, .bat, .sh — especially dangerous when downloaded from an unknown source.

Always scan files received as email attachments, downloaded from torrent sites, or obtained from websites you don't fully trust — even if the source appears legitimate.

How to Interpret the Results

The severity of a scan result depends on how many engines flag something. The table below provides a practical decision guide:

Detection Ratio	Verdict	Recommendation
0 / 70+	Clean	Safe — proceed normally
1–2 / 70+	Suspicious	Likely false positive — read the detection names carefully
3–5 / 70+	Likely Malicious	Do not execute — seek a second opinion
6+ / 70+	Malicious	Delete immediately — do not open

What Are False Positives?

A false positive occurs when a legitimate file is flagged as suspicious. It is common and does not automatically mean infection. Main causes:

Heuristic over-detection: The engine found code that resembles malware without actually being so.
PUP (Potentially Unwanted Program): Software like adware bundlers or crack tools — not malware per se, but undesirable.
Cracked / pirated software: Often flagged because it modifies system files — this does not mean it is safe to run.
Outdated signature base: Some engines do not update as quickly as others.

If only 1–2 engines out of 70+ detect something and the detection names contain "Heur", "Generic", or "PUA", it is most likely a false positive. However, if the names are specific (e.g. Trojan.GenericKD.12345) and 5+ engines agree, treat it seriously.

Privacy: What You Should NOT Upload

Critical: all files you upload to VirusTotal become public and can be downloaded by other users — security researchers and threat intelligence teams, but also malicious actors. Never upload:

Files containing passwords, API keys, or credentials (e.g. .env files, config files)
Personal data — identity documents, tax records, medical files
Source code — especially if it contains business logic or embedded secrets
Confidential corporate documents of any kind

If you want to check whether a file is known malware without making it public, you can look up its hash (MD5/SHA-256) — VirusTotal returns results if the file has already been analysed, without requiring an upload.

What to Do If a Threat Is Found

If the scan returns a Malicious verdict for a file you have already executed, follow these steps:

Isolate the system: Disconnect from the network (ethernet and Wi-Fi) immediately to stop the threat from spreading.
Check your backups: Confirm that your backups are offline and have not been compromised.
Scan with an offline antivirus: Use a bootable rescue disk (Kaspersky, ESET, Bitdefender) that runs outside the infected operating system.
Format and reinstall: For serious infections (ransomware, rootkits), a clean OS installation is the only certain remedy.
Change passwords: From a different device — email, banking, social media — and enable 2FA everywhere.
Report if necessary: If third-party data (customers, colleagues) may have been exposed, GDPR requires you to notify the relevant parties.

Scan a suspicious file now across 70+ antivirus engines:

→ Malware & Virus Scanner

Frequently Asked Questions

Does VirusTotal replace my antivirus?

No. VirusTotal is a second-opinion tool for suspicious files — it does not provide real-time protection, does not continuously monitor your system, and does not automatically remove threats. An up-to-date antivirus (Windows Defender, Bitdefender, etc.) remains your first line of defence for everyday use.

What is the maximum file size?

VirusTotal accepts files up to 650 MB via the free web interface. Larger files require a paid API subscription. For files over 100 MB, consider extracting the archive first and scanning the contents individually — it is faster and more informative.

How long does a scan take?

For files that have already been scanned, results appear instantly from cache. For new files, analysis by 70+ engines typically completes in 30–90 seconds. During periods of high traffic it may take up to 3–5 minutes.

What happens to files I upload?

Files uploaded to VirusTotal are stored and made accessible to the community and platform subscribers (security researchers, threat intelligence companies). Never upload files containing personal data, credentials, or confidential content. If you only want to check whether a file is known malware, search by its SHA-256 hash instead of uploading the file itself.

Try it now

Malware & Virus Scanner Scan a file with 70+ antivirus engines

Related guides

All guides