How VT Clue works

VT-Clue is a collection of patterns (called clues) that often correspond to malware (p:20+), goodware (p:0) or in between (p:1+ p:19-). Clues are based on data available in VirusTotal Intelligence / VirusTotal Enterprise, so its users can use the clues to find other samples that share the same clue. Clues are guaranteed to be at least 98% precise over a month's worth of samples.

On the Web, the clues of a given file are available in the details tab at the "Capabilities And Indicators" section. Here is how a clue looks like:

VT CLue list

Has section #0 named ".Upack" and has section #0 with virtual size between 142854 and 265060 bytes. 100.00% of the thousands matching files analysed in October had positives:20+

Most clues have links both to:

  1. Individual features (like section name ".Upack" above)
  2. The other files that share the same clue (e.g., the link "100% of the thousands…"). This distinction is important because some clues have more than one feature (e.g., section name and file size) and because clues only show the last week's worth of matching samples.

For example, in the image above, ".Upack". would take you to an Intelligence query for all the files with a section ".Upack" (using the most accurate search modifier) whereas 100.00% of the thousands matching files analysed in October had positives:20+]( would take you to all the samples which share this same clue during the last week using (using the clue_rule: search modifier).

The clue_rule: search modifier is particularly useful to further refine the query with other search modifiers and, for instance, look into the possible false positives of that clue. For example, if the clue says that 99% of the matching files have positives:20+, you can find the remaining 1% searching for [clue_rule: AND positives:0].

All of this data is, as usual, available via the API v3: