FrameworkGuidesModulesRelease NotesAbout

How to Safely Check Veil Payloads Against VirusTotal

One of the most common questions from teams running evasion tests is: "Should I upload the payload to VirusTotal?" The answer is nuanced. VirusTotal is a valuable tool for understanding detection coverage, but using it carelessly can compromise your testing methodology and share intelligence with the broader AV community — which may not align with your testing goals.

This guide covers the principles of safe payload analysis, when and how to use scanning services responsibly, and the operational considerations that matter for structured testing programs.

The Core Problem

VirusTotal aggregates results from dozens of antivirus engines and shares submitted samples with participating vendors. When you upload a file, it becomes part of a shared dataset. For research samples and known malware, this is fine. For payloads generated during a specific engagement or testing exercise, the implications are different.

If you are testing whether your organization's defenses detect a particular evasion technique, uploading the payload to VirusTotal effectively shares it with every AV vendor. Their detection will improve — not because your defenses got better, but because the sample entered the vendor ecosystem. Your next test with the same technique will show better "detection rates" that have nothing to do with your own controls.

Safe Analysis Principles

Use Isolated Environments

Perform analysis in environments that do not leak data:

  • Air-gapped VMs with no internet access for initial behavioral analysis
  • Snapshot your analysis VM before each session and revert afterward
  • Use network monitoring on the analysis host to verify no unintended outbound connections

Understand What You Are Measuring

Be clear about what question you are trying to answer:

  • "Does my organization's specific AV detect this?" → Test against your deployed product in your lab. Do not upload to VirusTotal.
  • "What is the broader industry detection rate for this technique?" → VirusTotal is appropriate, but understand the consequences.
  • "Is this payload safe to analyze?" → Static analysis and sandboxed dynamic analysis first, before any network-connected scanning.

Hash-Based Lookups First

Before uploading any file, check the hash against VirusTotal's existing database. If the hash is already known, you get detection information without contributing a new sample. This is the safest approach for routine checks.

When Not to Upload

Do not upload payloads to scanning services when:

  • The payload was generated for a specific client engagement (operational security)
  • You are measuring your own detection capabilities (the upload skews results)
  • The payload contains environment-specific configuration (IP addresses, domain names, credentials)
  • You are in the middle of a red team exercise (sharing samples mid-engagement is a critical operational error)

Responsible Handling Guidance

For comprehensive guidance on safely handling potentially malicious files in research and testing contexts, CISA's malware analysis resources provide authoritative recommendations on isolated analysis environments, evidence handling, and safe practices that complement the operational considerations discussed here.

Building an Internal Analysis Capability

Rather than relying on external services, consider building internal analysis capacity:

  • Static analysis tools — File format parsers, string extractors, disassemblers for examining payload structure
  • Sandboxed execution — Automated malware sandboxes (Cuckoo, CAPE, or commercial alternatives) that run samples in instrumented VMs
  • YARA rules — Custom detection signatures that you control and that do not leak intelligence externally

This approach keeps your analysis internal while still providing detection rate data against your own rules and signatures.

Related