The main search box also allows you to specify a full or partial malware family name ( Backdoor.Win32.PcClient!IK, Sality, Mydoom.R), or any other text you want to find inside the antivirus reports. However, this kind of search will look at all indexed fields for the file, it will not only focus on the antivirus results. In order to focus exclusively on the antivirus results (no matter which particular engine produced the output), you should use the engines prefix. For example:engines:"Trojan.Isbar"or engines:"zbot".
If you are looking for files detected by some specific antivirus vendor you can make use of vendor prefixes. These prefixes should preceed your keyword in order to restrict the scope of the search to a particular antivirus solution, for example: symantec:infostealer, mcafee:rahack, f-secure:virut.
By using vendor prefixes you can also search for all files detected by a given vendor, independently of the malware name. To do this you must write the vendor prefix followed by the special keyword infected, e.g. ESET-NOD32:infected. In this case the word infected does not necessarily have to be present in the antivirus signature, it is just indicating that the file must be detected. Similarly, you can list all files not detected by some antivirus by using the keyword clean. For example:ESET-NOD32:clean.
This is the full list of allowed vendor prefixes:
The list is subject to changes as new antivirus solutions are integrated in VirusTotal and existing ones change names so do not forget to visit it every once in a while.
Updated 3 months ago