VirusTotal is not an Incident Responder – a tool that aids in analysis should not be a “one-stop-shop” in determining if content is malicious. Attackers can easily manipulate these results.

Reliance on tools like this to come up with conclusions, means that there must be a lack of tools provided to an analyst or proper training/funding.

I know for the team I manage, tools like this are amazing to help pivot to other tools/techniques which can be part of an operators tool belt.

One of the problems to me is, too many vendors sell numerous fucking tools with fancy interfaces, and forget to teach the underlying concepts behind how the tools actually work… Once the tools are down or can’t use it…. you’re left there thinking.. what next.

edit. – I feel like it’s also quite trivial to bypass these types of sandboxes/tools, I have a malicious binary I use for threat hunting as a stager, still hasn’t been detected by any tools we use 🙂

Thanks to the Courtesy of :

https://www.reddit.com/r/netsec/comments/esv9j1/virustotal_is_not_an_incident_responder_a_tool/

Leave a Reply