Private Scanning

TL;DR: See files through the eyes of VirusTotal without uploading them to the main threat corpus, in other words, without sharing with other VirusTotal users or distributing them beyond your organization. Static, dynamic, network and similarity analysis included, as well as automated threat intel enrichment, but NOT multi-antivirus analysis.



Private Scanning does not replace VirusTotal's standard upload experience, you must use the Private Scanning form to keep uploads private. When using Private scanning:* Submitted files do not abandon VirusTotal's infrastructure.

  • All tools acting on the submitted files run on VirusTotal infrastructure.
  • Submitted files are not shared with third parties, unless the file is also uploaded to the standard VirusTotal service in addition to Private Scanning.
  • Submitted files are permanently deleted from our private buckets 24 hours after upload.
  • Analysis reports for submitted files are only visible to users within your organization (VirusTotal group) and are also permanently deleted 24 hours after generation.

Note that Private scanning is not meant to substitute VirusTotal's standard crowdsourced community, but rather complement it in very specific and justified instances in which certain files can't be shared with security vendors and other industry peers. If Private Scanning clearly suggests that a file is malicious, we encourage you to upload it to standard VirusTotal in order to share the threat and its context with other defenders.

Private Scanning allows you to analyze files with VirusTotal in a privacy preserving fashion. Files uploaded via this offering won't be shared with anyone beyond your organization, and will remain in VirusTotal only for a brief period of time. The resulting analyses will be ephemeral too and only visible to your VirusTotal group.

Note that private analyses won't contain antivirus verdicts, they will contain only the output of all the other characterization and contextualization tools that we run, including sandboxes.

Private Scanning Overview

As with most of our functionality you have two options to use it, through our API or via the web interface. We have also developed a command-line script to get you started with automation.

Accessing the private scanning web interface

To access this service you can follow the link at the top of the VirusTotal home view ( Note that Private Scanning is a paid offering and you will need specific privileges to access it, please do not hesitate to request a trial.

Private Scanning Link

You will see the list of previous private analyses submitted by users in your organization and the button to "Upload private file". Note that this list only includes analyses of files submitted by your organization, and note that these reports are only visible to your organization. 

Private Scanning List

Analyzing a file using the Private Scanning module

To upload and analyze a file privately click on the "Upload private file" button, it will prompt you to choose a file from your computer. After the file is chosen you will be requested to confirm the upload. You may also set detonation options such as whether the dynamic execution in sandboxes should have internet connectivity.

Private Scanning Options

If the file is already available in the standard VirusTotal open corpus, you will be informed accordingly and you may navigate to the corresponding VT ENTERPRISE report. 

Private Scanning Known File

As soon as the file is uploaded you'll be redirected to the report view, where you can see the scan progress and preliminary data regarding your file. The full analysis can take several minutes to complete, note that the file will be detonated in multiple sandboxes for a couple of minutes and network traces will be subsequently analyzed with intrusion detection systems. 

Private Scanning Report

Private Scanning reports

Once the analysis concludes, you will have access to a file report, but as mentioned previously, private analyses won't contain antivirus verdicts, they will only contain the output of all the other analysis and contextualization tools that we have in VirusTotal, including sandboxes:

  • Crowdsourced {YARA, SIGMA, IDS} rule matching to produce flags and detections.
  • Static and behavioural pattern analysis relevant to produce maliciousness determinations.
  • Static tooling such as file signature extractors, file type identification, file format dissection, document macro decoders, strings analysis, etc.
  • Dynamic analysis (detonation) in multiple sandboxes. Support for Windows, Mac OS X, Linux and Android. Process, file system, memory, network, etc. analysis.
  • Behaviour and static feature mapping to MITRE ATT&CK matrix.
  • Malware configuration extractors and decryptors.
  • Threat intel enrichment for all extracted IoCs (embedded IPs, contacted domains, download URLs, etc.).
  • Clustering and similarity analysis, including attribution to campaigns, toolkit and actors through similar files.
Private Scanning report completed


The reports are made up of several tabs. The detection tab displays granular flags coming from crowdsourced {YARA, SIGMA, IDS} matching, as well as sandbox execution verdicts. You may hover over matched rules to open them in a sidebar and export them to improve your security controls.  

Private Scanning Detection


The details tabrecords features extracted through static analysis, this includes, but is not limited to:

  • Basic properties: hashes, similarity hashes, file type identification, file size, compiler and packer identification.
  • Capabilities and indicators: verbose insights into interesting functionality and properties from a cybersecurity point of view.
  • File signature: signature and countersignature chain, software publisher, original file names, etc.
  • File format dissectors: PE sections, imports, exports, document macro decoders, etc.

All of the highlighted properties are pivotable, meaning that clicking on them will launch a standard VT ENTERPRISE search across the entire VirusTotal corpus to locate other (non-private) files that exhibit the same property. This is extremely useful to identify other variants of the same attack and gather further context, including potential campaigns or actors tied to the threat.

The relations tab lists any related IoCs observed during static and dynamic analysis of the file, these can be used for hunting, remediation and containment purposes, as well as to proactively protect your organization by blocking them in your security solutions. Some of the relationships include:

  • Execution parents: files that have been seen dropping the file under study when executed in a sandbox.
  • Dropped files: files that are dropped when the file under consideration is detonated in a sandbox.
  • Embedded {domains, IPs, URLs}: network IoCs seen within the binary body of the file under consideration, e.g. as a string.
  • Contacted {domains, IPs, URLs}: network resources to which the file reaches out when executed in multiple sandboxes.
  • Download URLs: Any URLs that standard VirusTotal has seen delivering the file under consideration.

Whenever these related IoCs are present in the standard VirusTotal corpus, they are automatically enriched with reputation and threat context coming from VT ENTERPRISE: security vendor detection ratios, geolocation, in-the-wild prevalence, etc. Moreover, all these related IoCs that are present in the standard VirusTotal corpus are pivotable, meaning that clicking on them will open the IoC report on the standard VT ENTERPRISE UI to help you gather further context.

As a final remark relative to the relations tab, note that when you upload a compressed bundle and it contains a file that is already in the VT corpus, we'll let you know so you can pivot to the standard VT ENTERPRISE report.

The behavior tab displays the execution report summaries for all sandboxes that act on the file. The summary includes notions such as: MITRE ATT&CK TTPs, file system actions, registry actions, process and service actions, synchronization mechanisms and signals (e.g. mutexes created), network communications, screenshots, etc. 

Private Scanning Behavior


The activity summary toolbar also allows you to access more technical assets such as network execution traces (PCAPs), detailed dynamic reports (e.g. API calls), windows event logs, memory dumps, etc.

Private Scanning


The community tab will list any VirusTotal collections that contain a hash for the file under consideration, as well as any threat actors related to those collections.

Private Scanning

Locating similar files and expanding context

One of the most useful and differentiated features of Private Scanning is pivoting to other similar files in the open VT ENTERPRISE corpus. This can be done by acting on the similarity icon in the file summary block, multiple similarity analysis techniques are available:

Private Scanning Similar


By jumping to other similar files you may understand industry reputation and naming for other variants of the threat, commonalities and in-the-wild patterns, lookup and submission activity (telemetry) for related files, etc.

Private Scanning

With the similar files you can also leverage VT DIFF to automatically build YARA rules for the pertinent malware toolkit and you may gain further insights on the corresponding threat campaign and actors behind it:

Private Scanning Actors


Final technical highlights

Private Scanning Final Highlights

Looking for a benefit analysis?

You may want to share the Private Scanning brief with your stakeholders or leadership in order to justify its value.