Submit files for manual malware analysis by 31 antivirus companies with X-RayDecember 19, 2011 7 Email article | Print article
There are many online malware scanners that use multiple antivirus engines to scan files. However, as shown in dotTech’s analysis of Avira vs avast! vs AVG vs Microsoft Security Essentials, antivirus software don’t detect unknown malware (i.e. zero-day threats — retrospective detection rates) as well as they detect known malware. So if you are unlucky enough to download a file infested with new malware, your security software may or may not protect against it. Thus sometimes submitting a file to multiple antivirus engines is not enough; if a file contains a zero-day threat all engines may list the file as being clean when it really isn’t. Rather, if you are truly suspicious of a file, submitting it for manual analysis to antivirus experts is the most bullet-proof way to knowing if a file is clean or not because, after all, humans are smarter than computers. This is where X-Ray comes in.
What Is X-Ray
X-Ray is a freeware program created by our friend Raymond from Raymond.cc. It allows users to submit files for manual expert analysis by 31 antivirus companies:
- PC Tools
In addition to manual analysis, X-Ray allows users to run files through VirusTotal, getting back results from all 43 VirusTotal scanners.
Using X-Ray is very easy. First add the files (drag + drop is supported) to the program which you are suspicious of. (There is no batch processing. You can add multiple files but you must process each file individually.) Next you must decide if you want to scan the file with VirusTotal or send it to antivirus companies for manual analysis:
When scanning with VirusTotal you can search for existing scans results or run a whole new scan on the file. If there are no existing VirusTotal scan results, X-Ray will tell you so. When a VirusTotal scan is conducted (or previous scan results are fetched), the results are displayed on the program.
When sending to antivirus companies, you get to select which companies to send to by checking the checkboxes next to the names of the companies you want to send to. You can either send it to all 31 companies, or pick and chose.
It is recommended to run a file through VirusTotal before sending it to antivirus companies because if the file is infected and antivirus companies know about it already, VirusTotal will show it; then there is no need to send the file off for manual analysis (unless you think the results are false positives). The only time you should send a file for manual analysis is when VirusTotal shows a file as clean. When VirusTotal shows a file as clean that means either a) it really is clean or b) it contains a zero-day threat no one knows about yet, in which case manual analysis will catch it.
When you submit a file for manual analysis, you will be asked to enter a comment…
…and sometimes asked to pass a CAPTCHA test:
The comment is optional. If you don’t want to enter one, just click the X button in the top-right corner. The CAPTCHA isn’t optional.
Don’t Send All Files For Manual Analysis
Do everyone a favor and not send each and every file for manual analysis by antivirus companies. Sending each file you download for analysis is not only a waste of your time, but a waste of bandwidth and a waste of the companies’ time, too. Just because VirusTotal shows a file as clean doesn’t mean it must be a zero-day threat that no one knows about — it really could be clean.
You should only be sending files for manual analysis that you are truly suspicious of.
Before You Begin
X-Ray submits files for manual analysis via e-mail or web, depending on which is used by the antivirus company. Thus, the first thing you need to do with X-Ray is attach an e-mail account (it can be any e-mail that supports SMTP protocol, such as Gmail, Yahoo, Hotmail, etc.) so it can send e-mails:
Once you have setup an e-mail account you will be able to send files for analysis to those companies that only accept files via e-mail.
If you don’t want to attach an e-mail account to X-Ray, you will still be able to use X-Ray but you will only be able to send files to the antivirus companies that do it via the web.
X-Ray doesn’t create or modify any services. It simply facilitates the submitting of files for manual malware analysis. Thus X-Ray shares the same limitations as the services it uses. More specifically,
- You will not get results back on manual analysis instantly. Manual analysis of files takes time. There is no specific time frame in which manual analysis is finished; each company does it differently and takes a different amount of time. Furthermore, you won’t get any notification when manual analysis results are in. The only way to know the results of a manual analysis is to regularly scan the file(s) you submitted for analysis. If the file(s) continues to come back as clean after a few days, then chances are it probably is clean. If the file(s) starts showing up as infected after a few days that means manual analysis found malware in the file.
- VirusTotal doesn’t allow files larger than 20 MB. So you can’t submit files larger than 20 MB to VirusTotal using X-Ray. Take note, however, just because you can’t scan a file with VirusTotal doesn’t mean you can’t use X-Ray to submit the file for manual analysis. In other words, files larger than 20 MB you can’t scan with VirusTotal but you can still submit for manual malware analysis.
Some e-mail services don’t allow users to send EXE files as attachments in e-mails. Thus, depending on which e-mail service you use, you may not be able to submit EXE files with X-Ray for manual analysis to antivirus companies that only accept files via e-mail.
- Update: X-Ray renames files, zips them, and then password protects them. Therefore, using X-Ray, you can send EXE files via e-mail.
- Some (most) e-mail services limit the size of attachments in e-mails. Depending on your e-mail service provider, you may not be able to submit large files via X-Ray for manual analysis to antivirus companies that only accept files via e-mail.
- X-Ray uses VirusTotal’s public API. That means two things. Firstly, sometimes you may not instantly get back VirusTotal scan results. If VirusTotal has heavy load on their servers, they delay scan results via the public API. There is nothing that can be done about this delay expect loading up VirusTotal.com in your browser and scanning the file in question that way. Secondly, VirusTotal’s public API is limited to 20 requests per 5 minutes. Thus is very many people are using X-Ray at the same time, you may not be able to submit a VirusTotal request. There are two remedies to this problem. Firstly, you can scan your files via VirusTotal.com instead of using X-Ray to do it. Alternatively, you can grab your own VirusTotal public API and enter in into X-Ray:
You are still limited to 20 requests/5 minutes with your own public API but using your own API means you are not sharing it with anyone else which ensures you will rarely, if ever, hit that 20 requests/5 minutes cap.
Getting your own VirusTotal public API is free and easy. All you have to do is register an account with VT Community (be sure to activate it), log into your VT Community account, click on My Account -> inbox -> Public API. Once you have the public API, copy and paste it into X-Ray, as shown in the screenshot above.
X-Ray isn’t one of those programs you will be using often. However, it is one of those programs that is mighty useful when you do have the need for it. Kudos Raymond, well done.
You can grab X-Ray from the links below; it is portable (no installation necessary) but does require .NET Framework 4:
Version reviewed: v1.0
Supported OS: Windows XP/Vista/Win7
.NET Framework 4 is required
Download size: 932 KB
Malware scan: VirusTotal scan results (1/43)