Thursday, October 28, 2021

VirusTotal integration with the security investigation tool provides deeper insight into Gmail events

What’s changing

Earlier this year, we announced an integration between VirusTotal and the Alert Center, giving admins the ability to look into security alerts at a deeper level. Beginning today, admins can also use the Security  Investigation tool to view VirusTotal reports to gain richer information regarding Gmail event logs and use that information to make more informed decisions on protecting their users and data.


Within the security investigation tool, you select “View VirusTotal report” for a given investigation result.

The report will surface more details about potential security threats.


The Standard version of VirusTotal reports includes the following:

  • File identification: Identifiers and characteristics allowing you to reference the threat and share it with other analysts (file hashes, file type, size, etc).
  • Threat reputation: Maliciousness assessments coming from 70+ security vendors.
  • Threat time spread: Key dates that enable you to understand when a given threat was first observed in-the-wild and how long it’s been active.

The Enhanced version of VirusTotal reports includes additional features such as:
  • Multi-angular detection: Additional threat analysis coming from crowdsourced rule matches and community scoring (for example: YARA, Sigma, and IDS rules).
  • Allowlist information: Useful details to power false positive discarding (National Software Reference Library, Software Distributors, Microsoft Clean Metadata Feed, etc.). 
  • Related indicators of compromise (IOCs): Examples of IOCs include a network infrastructure distributing a malware file, servers acting as a command-and-control for a given threat, first-stage delivery vectors for a file being studied, etc.
  • Interactive threat graph: Graphical format that maps out entire threat campaigns by visualizing the relationships between IOCs.
  • Security-relevant metadata: Includes software publisher information, identification of malicious macros in documents, Android application permissions, etc.
  • In-the-wild details: Geographical and time-spread details for threats, common attacker deception techniques, and more, through VirusTotal submission metadata.
  • Suspicious attribute pivoting: Clickable details in VirusTotal reports, allowing you to explore the global VirusTotal dataset for other threats that share the same properties.

Who’s impacted

Admins


Why it matters

Integrating VirusTotal with existing notifications and warnings surfaced through the security investigation tool provides Admins with richer information regarding potential threats. 

By giving our admins greater context over these threats, they can confidently take swift action to protect their users and data. For example, Admins can use VirusTotal to further investigate inconsistencies with users’ accounts to determine whether their device is infected with a virus. Using the VirusTotal integration tool to determine whether any shared attachments are malicious and whether the attachment has been seen elsewhere across their organization.


Additional details

VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. 

Data (file attachment hashes) is only shared to VirusTotal after your admin selects to view the VirusTotal report. No data is otherwise shared.

VirusTotal data is shared with the broader security community. This enables security vendors to collaborate with each other, share important details, and take action to fight security threats.

The VirusTotal report has two versions: Standard and Enhanced. The Standard version is displayed for admins who have the Security Center > VirusTotal > View report privilege, and who have one of the required Google Workspace editions. The Enhanced version is automatically displayed for paid VirusTotal subscribers who have an active virustotal.com login session with their VT Enterprise user account. Visit the Help Center for more information.


Getting started

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources