Why you shouldn’t automate your VirusTotal uploads

It is important to realize that uploading certain files to VirusTotal may result in leaking confidential data, which could result in a breach of confidentiality, or worse.

We have warned against uploading personal information, as does VirusTotal itself on their home page. But apparently some organizations have automated the uploading of email attachments without really thinking through the possible consequences.

VirusTotal

VirusTotal is now part of Google Cloud and its goal is to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. It does this by scanning the submitted files with the contributing anti-malware vendors’ scanning engines. Many use VirusTotal as a “second-opinion” scanner which is obviously fine to do on occasion.

VirusTotal maintains a collection of over 70 endpoint protection solutions, but it is important to realize that there is no guarantee that the version that VirusTotal relies on is the same version that you would be running, or whether it is as up to date as your version might be.

But in the context of this article it is even more important to realize that VirusTotal was not designed to check whether an attachment is malicious. It may recognize malicious attachments, especially the ones that are used in mass email campaigns, since these samples may get uploaded more often. But in case of a targeted attack, getting the all-clear from VirusTotal does not mean the attachment is safe to open or edit.

VirusTotal offers premium servicesthat allow participants access to files that were uploaded by third parties. This is done to increase malware detection across the participating solutions, but also to enable threat hunting and provide a historical and current overview of the threat landscape.

Breach of confidence

In March of 2022 the German Bundesamt für Sicherheit in der Informationstechnik (BSI)  which translates as the Federal Office for Security in Information Technology, warned that it noticed the (semi)-automated upload of suspicious or quarantined email attachments. In some cases these were confidential documents. These included warnings sent by the BSI marked as TLP Green and Amber.

The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).

Uploading a document marked as TLP:GREEN, TLP:AMBER or TLP:RED is a violtion of the terms and can get you removed from the list of acceptable recipients. Receiving information with a TLP tag other than TLP:WHITE is a privilege. It means that the information owners trust the recipient to respect their wishes. The recipients should do everything in their power to be worthy of that trust.

Sharing

Maybe these uploaders didn’t realize that the files were not only shared with the 70 security vendors, but are also accessible to all other businesses that are using the premium services provided by VirusTotal. There are no restrictions about the location of the participating businesses, so there is no reason to assume that it is safe to upload confidential documents.

A search by me on VirusTotal for “invoice.pdf” provided 17.68k search results. Granted, some of these files were actually marked as malicious, but the majority had no business being available for public viewing.

Ask for permission, not forgiveness

While we do understand the occasional need to upload a file to VirusTotal, do not automate this procedure. Only use it when you have no other methods of checking whether an attachment is safe to open.

Receivers:

  • If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
  • Don’t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
  • Never click on links in emails or email attachments.
  • Never “Enable Editing” in a document, unless the sender in person assured you it was safe.

Senders:

  • Only use attachments that could be perceived as dangerous when it’s absolutely necessary.
  • Inform recipients about the fact that you are sending them an attachment and for what reason.

There was good reason for Microsoft to disable macros by default.

Stay safe, everyone!