Submit files for manual malware analysis by 31 antivirus companies with X-Ray

There are many online malware scanners that use multiple antivirus engines to scan files. However, as shown in dotTech’s analysis of Avira vs avast! vs AVG vs Microsoft Security Essentials, antivirus software don’t detect unknown malware (i.e. zero-day threats — retrospective detection rates) as well as they detect known malware. So if you are unlucky enough to download a file infested with new malware, your security software may or may not protect against it. Thus sometimes submitting a file to multiple antivirus engines is not enough; if a file contains a zero-day threat all engines may list the file as being clean when it really isn’t. Rather, if you are truly suspicious of a file, submitting it for manual analysis to antivirus experts is the most bullet-proof way to knowing if a file is clean or not because, after all, humans are smarter than computers. This is where X-Ray comes in.

What Is X-Ray

X-Ray is a freeware program created by our friend Raymond from Raymond.cc. It allows users to submit files for manual expert analysis by 31 antivirus companies:

  • Avast
  • AVG
  • Avira
  • Bitdefender
  • ClamAV
  • Comodo
  • Dr.Web
  • Emsisoft
  • ESET
  • CA
  • Fortinet
  • F-Prot
  • F-Secure
  • Ikarus
  • K7Antivirus
  • Kaspersky
  • McAfee
  • Microsoft
  • Norman
  • nProtect
  • Panda
  • PC Tools
  • Prevx
  • Rising
  • SUPERAntiSpyware
  • Symantec
  • TheHacker
  • VBA32
  • Vipre
  • ViRobot
  • VirusBuster

In addition to manual analysis, X-Ray allows users to run files through VirusTotal, getting back results from all 43 VirusTotal scanners.

Using X-Ray

Using X-Ray is very easy. First add the files (drag + drop is supported) to the program which you are suspicious of. (There is no batch processing. You can add multiple files but you must process each file individually.) Next you must decide if you want to scan the file with VirusTotal or send it to antivirus companies for manual analysis:

When scanning with VirusTotal you can search for existing scans results or run a whole new scan on the file. If there are no existing VirusTotal scan results, X-Ray will tell you so. When a VirusTotal scan is conducted (or previous scan results are fetched), the results are displayed on the program.

When sending to antivirus companies, you get to select which companies to send to by checking the checkboxes next to the names of the companies you want to send to. You can either send it to all 31 companies, or pick and chose.

It is recommended to run a file through VirusTotal before sending it to antivirus companies because if the file is infected and antivirus companies know about it already, VirusTotal will show it; then there is no need to send the file off for manual analysis (unless you think the results are false positives). The only time you should send a file for manual analysis is when VirusTotal shows a file as clean. When VirusTotal shows a file as clean that means either a) it really is clean or b) it contains a zero-day threat no one knows about yet, in which case manual analysis will catch it.

When you submit a file for manual analysis, you will be asked to enter a comment…

…and sometimes asked to pass a CAPTCHA test:

The comment is optional. If you don’t want to enter one, just click the X button in the top-right corner. The CAPTCHA isn’t optional.

Don’t Send All Files For Manual Analysis

Do everyone a favor and not send each and every file for manual analysis by antivirus companies. Sending each file you download for analysis is not only a waste of your time, but a waste of bandwidth and a waste of the companies’ time, too. Just because VirusTotal shows a file as clean doesn’t mean it must be a zero-day threat that no one knows about — it really could be clean.

You should only be sending files for manual analysis that you are truly suspicious of.

Before You Begin

X-Ray submits files for manual analysis via e-mail or web, depending on which is used by the antivirus company. Thus, the first thing you need to do with X-Ray is attach an e-mail account (it can be any e-mail that supports SMTP protocol, such as Gmail, Yahoo, Hotmail, etc.) so it can send e-mails:

Once you have setup an e-mail account you will be able to send files for analysis to those companies that only accept files via e-mail.

If you don’t want to attach an e-mail account to X-Ray, you will still be able to use X-Ray but you will only be able to send files to the antivirus companies that do it via the web.

X-Ray Limitations

X-Ray doesn’t create or modify any services. It simply facilitates the submitting of files for manual malware analysis. Thus X-Ray shares the same limitations as the services it uses. More specifically,

  • You will not get results back on manual analysis instantly. Manual analysis of files takes time. There is no specific time frame in which manual analysis is finished; each company does it differently and takes a different amount of time. Furthermore, you won’t get any notification when manual analysis results are in. The only way to know the results of a manual analysis is to regularly scan the file(s) you submitted for analysis. If the file(s) continues to come back as clean after a few days, then chances are it probably is clean. If the file(s) starts showing up as infected after a few days that means manual analysis found malware in the file.
  • VirusTotal doesn’t allow files larger than 20 MB. So you can’t submit files larger than 20 MB to VirusTotal using X-Ray. Take note, however, just because you can’t scan a file with VirusTotal doesn’t mean you can’t use X-Ray to submit the file for manual analysis. In other words, files larger than 20 MB you can’t scan with VirusTotal but you can still submit for manual malware analysis.
  • Some e-mail services don’t allow users to send EXE files as attachments in e-mails. Thus, depending on which e-mail service you use, you may not be able to submit EXE files with X-Ray for manual analysis to antivirus companies that only accept files via e-mail.
    • Update: X-Ray renames files, zips them, and then password protects them. Therefore, using X-Ray, you can send EXE files via e-mail.
  • Some (most) e-mail services limit the size of attachments in e-mails. Depending on your e-mail service provider, you may not be able to submit large files via X-Ray for manual analysis to antivirus companies that only accept files via e-mail.
  • X-Ray uses VirusTotal’s public API. That means two things. Firstly, sometimes you may not instantly get back VirusTotal scan results. If VirusTotal has heavy load on their servers, they delay scan results via the public API. There is nothing that can be done about this delay expect loading up VirusTotal.com in your browser and scanning the file in question that way. Secondly, VirusTotal’s public API is limited to 20 requests per 5 minutes. Thus is very many people are using X-Ray at the same time, you may not be able to submit a VirusTotal request. There are two remedies to this problem. Firstly, you can scan your files via VirusTotal.com instead of using X-Ray to do it. Alternatively, you can grab your own VirusTotal public API and enter in into X-Ray:

You are still limited to 20 requests/5 minutes with your own public API but using your own API means you are not sharing it with anyone else which ensures you will rarely, if ever, hit that 20 requests/5 minutes cap.

Getting your own VirusTotal public API is free and easy. All you have to do is register an account with VT Community (be sure to activate it), log into your VT Community account, click on My Account -> inbox -> Public API. Once you have the public API, copy and paste it into X-Ray, as shown in the screenshot above.

Conclusion

X-Ray isn’t one of those programs you will be using often. However, it is one of those programs that is mighty useful when you do have the need for it. Kudos Raymond, well done.

You can grab X-Ray from the links below; it is portable (no installation necessary) but does require .NET Framework 4:

Version reviewed: v1.0

Supported OS: Windows XP/Vista/Win7

.NET Framework 4 is required

Download size: 932 KB

Malware scan: VirusTotal scan results (1/43)

X-Ray homepage [direct download]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

7 comments

  1. Giovanni

    “Some (most) e-mail services limit the size of attachments in e-mails. Depending on your e-mail service provider, you may not be able to submit large files via X-Ray for manual analysis to antivirus companies that only accept files via e-mail.”

    Hmmm do you know what’s the best e-mail service allowing you to send attachments larger than 20 MB in emails?? If I’m not wrong the best one is GMAIL which enables users to send attachment files up to 25 MB in size….is that right??

    And how about splitting a file larger than 20 or 25 MB in several parts and then send each one via email using X-Ray??

  2. Don Villas

    Under the heading “Before You Begin” you show an image which covers email settings. How do I discover what data I should insert for the Server Port and Enable SSL fields? X-Ray will not accept the default values it shows in the fields although it will accept my Username and Password.

  3. Raymond

    Thanks Asraf for reviewing my app.

    A correction on this limitation:
    Some e-mail services don’t allow users to send EXE files as attachments in e-mails. Thus, depending on which e-mail service you use, you may not be able to submit EXE files with X-Ray for manual analysis to antivirus companies that only accept files via e-mail.

    To get around this limitation, X-Ray automatically renames the extension. For example, raymond.exe will automatically be renamed to raymond.ex_, followed by zipping and password protect it.

  4. Ashraf
    Author/Mr. Boss

    @Sputnik: I’ve honestly never heard of .NET Framework slowing down a computer. Based off of what I know about .NET Framework, I don’t see how that is even possible. (Granted, I don’t know everything.) o_O

    @Schmeckle: I’m not sure what I would write about it. I don’t understand what people have against .NET Framework. If someone has a slow Internet connection and they can’t download it, I understand. Otherwise, why do people refuse to have it installed on their computers? .NET Framework is just a bloody framework that makes developing programs easier than using something like C++. In a way .NET Framework is like Java; yet I don’t see so many people refusing to install Java on their computers (although, granted, for security reasons there are many anti-java people out there).

  5. Schmeckle

    The evil .NET needed again for software. Ashraf, PLEASE do an article in the near future on not only your thoughts about .NET, but maybe the testing of .NET (like you recently did on the anti-virus software) and how it affect our computers and WHY it is needed in some software. I had it deleted, but do to some of the free software offered here and elswhere, I have been forced to re-install it. :-(

    Am I right folks? Would we not all want to see whether we should have .NET on our machines and who best to tell us, ….but our resident “Cyber Guru”……..Ashraf!

  6. Sputnik

    I would install and use this software if there was not the need of .NET Framework 4.

    .NET Framework 4 is slowing down my computer (I’m working under XP SP3) and I’m not the only one in this case.

    I will wait until I change my computer in two or three years…