# Virustotal AI integration on Definable

> VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content using multiple antivirus engines and website scanners.

## What this connects

VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content using multiple antivirus engines and website scanners.

Vendor: https://www.virustotal.com/gui/home/upload

## Tools available

**16** tools available. First 12:

- `VIRUSTOTAL_ADD_COMMENT` — Add VirusTotal Comment — Tool to add a comment to a VirusTotal resource (file, URL, domain, or IP address). Use after analyzing a resource to leave contextual feedback. Provide exactly one identifier per call.
- `VIRUSTOTAL_ADD_VOTE` — Add Vote — Tool to add a vote (harmless/malicious) to a VirusTotal resource. Use after reviewing analysis results to submit your verdict.
- `VIRUSTOTAL_GET_ANALYSIS` — Get Analysis Report — Tool to retrieve the analysis report of a file or URL submission. Use after obtaining an analysis ID to fetch its detailed report. Analysis results may be incomplete immediately after submission; poll until the report status is 'completed' before treating results as final.
- `VIRUSTOTAL_GET_COMMENTS` — Get comments — Tool to retrieve the latest comments on a VirusTotal resource. Use when you need to review user-generated comments for a file, URL, domain, or IP after obtaining its identifier.
- `VIRUSTOTAL_GET_DOMAIN_RELATIONSHIPS` — Get Domain Relationships — Tool to retrieve relationship objects for a given domain. Use when you have a domain and need to explore its related entities.
- `VIRUSTOTAL_GET_DOMAIN_REPORT` — Get Domain Report — Tool to retrieve the analysis report of a domain. Use when you need detailed insight on a domain's reputation and analysis stats. No malicious signals on obscure or low-traffic domains may indicate limited analysis history rather than safety — treat sparse results as 'unknown', not 'safe'. Covers external OSINT only (reputation, malware, SSL posture); cannot analyze internal/private assets.
- `VIRUSTOTAL_GET_FILE_REPORT` — Get File Report — Tool to retrieve the analysis report of a file. Use when you have a file's hash and need detailed scan metadata. Recently submitted files may return partial results; retry after a short delay before treating the report as final.
- `VIRUSTOTAL_GET_IP_ADDRESS_RELATIONSHIPS` — Get IP Address Relationships — Tool to retrieve objects related to a specific IP address by relationship type. Use when you have an IP and need to explore connected files, URLs, or other entities.
- `VIRUSTOTAL_GET_IP_ADDRESS_REPORT` — Get IP Address Report — Tool to retrieve the analysis report of an IP address. Use when you need detailed insight on an IP's reputation, ASN, country, and analysis stats. Low or zero detections indicate unknown risk, not safety — treat sparse data accordingly. Provides external OSINT only; insufficient as standalone compliance evidence.
- `VIRUSTOTAL_GET_METADATA` — Get VirusTotal Metadata — Tool to retrieve VirusTotal metadata. Use when you need information about available privileges, relationships between resources (like files, domains, IPs, URLs), and supported antivirus engines.
- `VIRUSTOTAL_GET_URL_REPORT` — Get URL Report — Tool to retrieve the analysis report of a URL. Use when you have a URL identifier (base64-url without padding) and need detailed scan results, reputation, and metadata. Results may be incomplete immediately after submission; retry with short delays if scan engines are still processing before treating the report as final.
- `VIRUSTOTAL_GET_VOTES` — Get Votes — Tool to retrieve votes on files, URLs, domains, or IP addresses. Use when you need to view community votes for a given object.

## Auth

Auth schemes: `API_KEY`.

## How agents use Virustotal

Inside a Definable workflow, Virustotal is one of the tools the **Distributor specialist** can call. Example coordination patterns:

- **Researcher → Virustotal** — the Researcher (GPT-5.5) pulls context from Virustotal (records, threads, documents), synthesises findings, and briefs the rest of the team.
- **Writer → Distributor → Virustotal** — the Writer (Claude Opus 4.7) drafts copy in brand voice, the Verifier passes it, then the Distributor writes the result into Virustotal (create record, post message, draft email).
- **Designer / Engineer → Distributor → Virustotal** — the Designer ships an asset or the Engineer ships a code change, the Distributor delivers it via Virustotal (attach file, open PR comment, post status).

The Verifier checks every Virustotal call. On rate limit, schema drift, or auth refresh it self-heals and retries — the workflow completes without manual intervention.

## Categories

- security & identity tools — https://definable.ai/apps/category/security-&-identity-tools/

## Related

- HTML page: https://definable.ai/apps/virustotal/
- Same category (security & identity tools): https://definable.ai/apps/category/security-&-identity-tools/
- All integrations: https://definable.ai/apps/
- Workflow (multi-agent loop): https://definable.ai/workflow/
- Apps llms.txt index: https://definable.ai/llms-apps.txt