Is it safe to upload & scan personal files on VirusTotal?

Paid subscribes to virustotal can download files uploaded by others. If you consider this still safe for your users depends on what you consider safe.

See also their Privacy Policy which clearly says:

Information we share
When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry ... Files, URLs, comments and any other content submitted to or shared within VirusTotal may also be included in premium private services offered by VirusTotal to the anti malware and ICT security industry

Still, I think that your idea of offering a simpler access to a useful service directly from the mail client makes sense. I would though recommend that you add an easy to understand but not easy to ignore warning about the privacy implications before the user uploads a file. And it might be less invasive to first check if the hash already exists at VT before uploading a file (and not upload if hash is known to VT).
Ideally you also make it easy for users to remove an accidentally shared file (thanks to @Mirsad for this suggestion in a comment).


I wouldn't recommend uploading files containing any sensitive information. Passwords, personal notes or other forms of data that can identify you as a person or expose your privacy. As Steffen mentioned in his answer, the files can be downloaded by premium users, meaning that the files and its contents will be available to other individuals. Usually, reading the privacy policy of the website helps you grasp the general concept of what they are going to do with the data.


Yes, the files do get exposed to people outside of VT administrators.

Virustotal Premium allows downloading files and "hunting" - which involves writing YARA rules to match the files from everything that has been uploaded to VT (e.g. I can search for files that have a string "private", get alerted every time such file is uploaded to VT and download them myself). Having the Premium service is very common for security teams and companies.

Also as already mentioned, the information is shared with other communities. So if there's a risk that private documents could be uploaded, I wouldn't implement this feature.

Tags:

Privacy