New in Copilot: Scan Suspicious Files with VirusTotal Integration

In today’s security landscape, malicious files remain one of the primary attack vectors used by threat actors to infiltrate organizations. Whether it’s executables, PDFs, or Office documents, defenders must be able to quickly analyze suspicious files to determine if they pose a threat.

I’m excited to share that with the latest release, Copilot now integrates directly with VirusTotal, making file analysis faster and more seamless than ever.

Why Integrate VirusTotal into Copilot?

VirusTotal is one of the most widely used tools in cybersecurity, aggregating results from dozens of antivirus engines, reputation services, and static/dynamic analysis tools. Security professionals use it daily to check hashes, URLs, domains, and files for signs of maliciousness.

However, switching back and forth between your investigation platform and VirusTotal’s web interface adds friction to your workflow. That’s why we built VirusTotal integration directly into Copilot. Now, you can upload files for analysis and view results without leaving Copilot’s UI.

Setting Up the VirusTotal Connector in Copilot

First, ensure you’re running the latest version of Copilot. Once upgraded:

Navigate to “Connectors.”
Find and configure the VirusTotal connector.

If you’ve already connected VirusTotal previously, no changes are needed.

Good to know:

VirusTotal’s free API key is supported.
File size limit for free API keys is usually 32 MB.
Rate limits vary based on your API subscription tier.
Even with the free tier, you can perform file scans directly from Copilot.

Scanning Files via VirusTotal in Copilot

Once your connector is set:

Go to the Thread Intel tab in Copilot.
You’ll see a new dropdown for VirusTotal.
Click it and select the file you want to analyze.

Example Scenario:

I downloaded a ransomware sample from a malware database. The file was inside a password-protected ZIP archive. Many malware repositories protect samples this way to avoid accidental execution.

I uploaded the ZIP file in Copilot.
Entered the known password (infected or malware are common defaults).
Clicked Submit.
Copilot then sends the file to VirusTotal for analysis.

Initially, you may see the scan status as “queued,” since VirusTotal processes uploads before results become available. After a short wait, refreshing the page updates the status to completed.

Reviewing VirusTotal Scan Results

Once VirusTotal finishes scanning:

You’ll see the detection status directly in Copilot.
You can expand details to see:
How many engines flagged the file
Names of the detections (e.g. Trojan, ransomware, etc.)
Links to the VirusTotal report for deeper analysis

In my demo, VirusTotal identified the ransomware sample as malicious, confirming the presence of threats inside the uploaded ZIP archive.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/