- dotTech - http://dottech.org -

Submit files for manual malware analysis by 31 antivirus companies with X-Ray

[1]There are many online malware scanners [2] that use multiple antivirus engines to scan files. However, as shown in dotTech’s analysis of Avira vs avast! vs AVG vs Microsoft Security Essentials [3], antivirus software don’t detect unknown malware (i.e. zero-day threats — retrospective detection rates [4]) as well as they detect known malware. So if you are unlucky enough to download a file infested with new malware, your security software may or may not protect against it. Thus sometimes submitting a file to multiple antivirus engines is not enough; if a file contains a zero-day threat all engines may list the file as being clean when it really isn’t. Rather, if you are truly suspicious of a file, submitting it for manual analysis to antivirus experts is the most bullet-proof way to knowing if a file is clean or not because, after all, humans are smarter than computers. This is where X-Ray comes in.

What Is X-Ray

X-Ray is a freeware program created by our friend Raymond from Raymond.cc. It allows users to submit files for manual expert analysis by 31 antivirus companies:

In addition to manual analysis, X-Ray allows users to run files through VirusTotal, getting back results from all 43 VirusTotal scanners.

Using X-Ray

Using X-Ray is very easy. First add the files (drag + drop is supported) to the program which you are suspicious of. (There is no batch processing. You can add multiple files but you must process each file individually.) Next you must decide if you want to scan the file with VirusTotal or send it to antivirus companies for manual analysis:


When scanning with VirusTotal you can search for existing scans results or run a whole new scan on the file. If there are no existing VirusTotal scan results, X-Ray will tell you so. When a VirusTotal scan is conducted (or previous scan results are fetched), the results are displayed on the program.

When sending to antivirus companies, you get to select which companies to send to by checking the checkboxes next to the names of the companies you want to send to. You can either send it to all 31 companies, or pick and chose.

It is recommended to run a file through VirusTotal before sending it to antivirus companies because if the file is infected and antivirus companies know about it already, VirusTotal will show it; then there is no need to send the file off for manual analysis (unless you think the results are false positives). The only time you should send a file for manual analysis is when VirusTotal shows a file as clean. When VirusTotal shows a file as clean that means either a) it really is clean or b) it contains a zero-day threat no one knows about yet, in which case manual analysis will catch it.

When you submit a file for manual analysis, you will be asked to enter a comment…


…and sometimes asked to pass a CAPTCHA test:


The comment is optional. If you don’t want to enter one, just click the X button in the top-right corner. The CAPTCHA isn’t optional.

Don’t Send All Files For Manual Analysis

Do everyone a favor and not send each and every file for manual analysis by antivirus companies. Sending each file you download for analysis is not only a waste of your time, but a waste of bandwidth and a waste of the companies’ time, too. Just because VirusTotal shows a file as clean doesn’t mean it must be a zero-day threat that no one knows about — it really could be clean.

You should only be sending files for manual analysis that you are truly suspicious of.

Before You Begin

X-Ray submits files for manual analysis via e-mail or web, depending on which is used by the antivirus company. Thus, the first thing you need to do with X-Ray is attach an e-mail account (it can be any e-mail that supports SMTP protocol, such as Gmail, Yahoo, Hotmail, etc.) so it can send e-mails:


Once you have setup an e-mail account you will be able to send files for analysis to those companies that only accept files via e-mail.

If you don’t want to attach an e-mail account to X-Ray, you will still be able to use X-Ray but you will only be able to send files to the antivirus companies that do it via the web.

X-Ray Limitations

X-Ray doesn’t create or modify any services. It simply facilitates the submitting of files for manual malware analysis. Thus X-Ray shares the same limitations as the services it uses. More specifically,


You are still limited to 20 requests/5 minutes with your own public API but using your own API means you are not sharing it with anyone else which ensures you will rarely, if ever, hit that 20 requests/5 minutes cap.

Getting your own VirusTotal public API is free and easy. All you have to do is register [10] an account with VT Community (be sure to activate it), log into your VT Community account, click on My Account -> inbox -> Public API. Once you have the public API, copy and paste it into X-Ray, as shown in the screenshot above.


X-Ray isn’t one of those programs you will be using often. However, it is one of those programs that is mighty useful when you do have the need for it. Kudos Raymond, well done.

You can grab X-Ray from the links below; it is portable (no installation necessary) but does require .NET Framework 4:

Version reviewed: v1.0

Supported OS: Windows XP/Vista/Win7

.NET Framework 4 is required

Download size: 932 KB

Malware scan: VirusTotal scan results (1/43) [11]

X-Ray homepage [12] [direct download [13]]