Why does VirusTotal give different results depending on how I upload the file?

1•nilslindemann•1mo ago

Why does VirusTotal give different results for what appears to be the same file, when the download URL is given ...

https://www.virustotal.com/gui/url/9525d0fe32cebf7933bf84dcfad93811e799c7e8460e374f230a232893a1ba9a

... and when the file hash is given (I download the file from the URL and then upload it to VirusTotal, using my browser) ...

https://www.virustotal.com/gui/file/03a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8

(My expectation is that it also computes the hash from the file found at the download url)

To add to this, the file lives on my system as "Optimizer-16.7.exe", but the VirusTotal GUI, after I upload that file, gives it as "Optimizer.exe"

Comments

_a9•1mo ago

The URL scanner doesnt directly scan the file. It checks the URL against other web firewalls and returns stuff like the headers, chain, the sha256 hash of the body (which links to the actual file analysis https://www.virustotal.com/gui/url/9525d0fe32cebf7933bf84dcf...)

You can see and compare the different vendors of each. File analysis goes to all the antivirus' and does the sandbox stuff and the URL analysis goes to things like Google Safebrowsing, phishing check services, etc

tldr different systems for URL analysis (web firewall check) & file analysis (antivirus/sandbox check)

nilslindemann•1mo ago

Thx, seems we posted at the same time. AI confirms what you say.

nilslindemann•1mo ago

Okay, I figured it out by asking the Google AI (in German): https://share.google/aimode/vEQR65SSttZJkDWax

(In the case of the direct upload, more programs check the file, indicating that the direct upload may in general be a more reliable method. Though the twelve reports seem to be false positives in this case)

Show HN: Env-shelf – Open-source desktop app to manage .env files

Show HN: Almostnode – Run Node.js, Next.js, and Express in the Browser

Dell support (and hardware) is so bad, I almost sued them

Project Pterodactyl: Incremental Architecture

Styling: Search-Text and Other Highlight-Y Pseudo-Elements

Crypto firm accidentally sends $40B in Bitcoin to users

Magnetic fields can change carbon diffusion in steel

Fantasy football that celebrates great games

Show HN: Animalese

StrongDM's AI team build serious software without even looking at the code

John Haugeland on the failure of micro-worlds

Show HN: Velocity - Free/Cheaper Linear Clone but with MCP for agents

Corning Invented a New Fiber-Optic Cable for AI and Landed a $6B Meta Deal [video]

Show HN: XAPIs.dev – Twitter API Alternative at 90% Lower Cost

Near-Instantly Aborting the Worst Pain Imaginable with Psychedelics

Show HN: Nginx-defender – realtime abuse blocking for Nginx

The Super Sharp Blade

Smart Homes Are Terrible

What I haven't figured out

KPMG pressed its auditor to pass on AI cost savings

Open-source Claude skill that optimizes Hinge profiles. Pretty well.

First Proof

I squeezed a BERT sentiment analyzer into 1GB RAM on a $5 VPS

Kagi Translate

Building Interactive C/C++ workflows in Jupyter through Clang-REPL [video]

Tactical tornado is the new default

Full-Circle Test-Driven Firmware Development with OpenClaw

Automating Myself Out of My Job – Part 2

Dependency Resolution Methods

Crypto firm apologises for sending Bitcoin users $40B by mistake