Free Online Virus Scanner

When you submit a URL or a file, the scanner forwards the input to the VirusTotal v3 API. VirusTotal aggregates verdicts from more than 70 commercial antivirus engines (Bitdefender, ESET, Kaspersky, Malwarebytes, Microsoft, Sophos, Symantec, and many more) plus a dozen threat-intelligence feeds (Spamhaus, URLhaus, Phishtank, OpenPhish). The response we render to you is a count of how many engines flagged the input, which engines flagged it, what label each engine attached, and the timestamp of the most recent scan.

For URLs, VirusTotal also runs heuristic analysis (lookalike-character detection, domain age, SSL certificate fingerprint, hosting-provider reputation) and returns a synthesised verdict alongside the per-engine list. For files, you can submit either an actual upload or a SHA-256 hash; submitting the hash is faster, smaller, and avoids re-uploading a binary that VirusTotal has already seen.

The scanner never makes a verdict on its own. We do not run a local antivirus on the file or apply our own heuristics. The verdict you see is whatever the upstream engines returned — and we link the full VirusTotal report so you can verify it.

Per-IP rate limit: 10 submissions per minute, 500 per day. Phase 2 will surface the remaining quota in the result panel. If you hit the limit you can either wait, or submit your file directly to virustotal.com under your own free account, which gives you a separate per-account quota.

What we see: the URL or file hash you paste, the IP address that sent the request (visible to our edge for rate-limiting only), and the response we received from VirusTotal. We do not log inputs. We do not retain inputs. We do not associate inputs with cookies, fingerprints, or any other identifier.

What VirusTotal sees: the URL or file you submit, including any tracking parameters, query strings, or filenames embedded in it. Files uploaded to VirusTotal are shared with antivirus partners and may be analysed by paying VirusTotal customers. Treat anything you submit as public. Never submit anything sensitive — internal corporate URLs, staging environments, draft documents — that you do not want third parties to see.

A clean result (0 / 70+ engines flagged) is good but not conclusive. The threat may be too new for any engine to catch yet (a fresh phishing kit can take 6-24 hours to propagate to all 70 engines), or the URL may be hosting a benign decoy when scanned and switching to malicious payloads on user-agent or geo-targeted requests. A clean verdict reduces the probability that a file is malicious; it does not eliminate it.

A small number of detections (1-3 engines) is the most ambiguous result. It can mean: the file is genuinely malicious and most engines have not caught up; the file is potentially-unwanted software (adware, an aggressive installer); or the engines that flagged it are known false-positive-heavy on this category. Click each engine's label in the full VirusTotal report to see the family name — that's the only way to disambiguate.

A heavy detection (5+ engines, especially across multiple vendor families) is a high-confidence malicious verdict. Do not run, install, or execute the file. Delete it from your downloads folder. If your local antivirus did not catch it, capture the file path and submit a sample to your antivirus vendor; that's the kind of miss that changes lab scores in the next testing cycle.

For URLs, treat any phishing-tagged result as immediately blocked, regardless of engine count. Phishing detection is consensus-poor by nature — a single 'phishing' label from URLhaus or Phishtank carries more weight than three 'unrated' labels from broad-spectrum scanners.

The Online Scanner is a second-opinion tool. It answers 'is this one specific input malicious right now?' It cannot answer 'has anything malicious arrived on my device in the last hour?' — that's the question a local real-time antivirus answers, by inspecting every file as it lands and every URL as it loads.

Practical examples of when local antivirus, not the scanner, is the right answer: when you want continuous protection without manually checking each file; when you want to catch threats that arrive via auto-updaters, browser exploits, or USB devices (which never pass through a web form); when you want behavioural detection of in-memory threats (fileless malware) that have no hash to scan; or when you want to block phishing and exploit kits before the page even renders.

The right model is: a real-time antivirus running locally for ambient protection, plus the Online Scanner reserved for one-off paranoid second opinions on a specific file or link. Use both. They answer different questions.