ceven

Virustotal

Scans files, URLs, and IP addresses for malicious content and pulls community reputation data into your security workflows to automate threat triage.

Try Virustotal in Ceven

Ask Ceven anything
Standard

Why use Ceven?

  1. AI native Virustotal integration

    • Describe the outcome and Ceven picks the right Virustotal calls, fills the parameters, and checks the result.
    • Structured, agent friendly tool schemas so each call runs reliably instead of by guesswork.
    • Rich coverage for reading, writing, and querying your Virustotal data, across all 16 of its actions.

  2. Managed auth

    • Built in OAuth with automatic token refresh and rotation.
    • One place to manage, scope, and revoke Virustotal access.
    • Per user and per environment credentials instead of shared keys.

  3. Agent optimized design

    • Actions are tuned from real success and error rates so reliability climbs over time.
    • Full execution logs so you always know what ran in Virustotal, when, and on whose behalf.
    • The agent pauses and asks when Virustotal is unclear instead of plowing ahead.

  4. Enterprise grade security

    • Fine grained access so you control which agents and people can reach Virustotal.
    • Least privilege by default, read scopes first and only the writes a workflow needs.
    • A full audit trail of every Virustotal action to support review and sign off.

Supported tools

Every action Ceven's agents can run on Virustotal, and when to use it.

Add comment
Use this to leave contextual feedback on a file, URL, domain, or IP address after you finish your analysis.
Add vote
Submit a harmless or malicious verdict for a resource to contribute to the community reputation score.
Get analysis report
Pull the detailed analysis report for a specific file or URL submission using its analysis ID.
Get comments
Pull the latest user generated comments for a file, URL, domain, or IP to see researcher notes.
Get domain relationships
Pull relationship objects for a domain to explore connected entities and infrastructure.
Get domain report
Pull a detailed report on a domain to see its overall reputation and analysis statistics.
Get file report
Pull scan metadata and detection results for a file using its unique hash.
Get IP relationships
Pull objects related to an IP address to find connected files or malicious URLs.
Get IP report
Pull the analysis report for an IP address including its ASN and country of origin.
Get metadata
Pull a list of all available API endpoints with their methods and summaries.
Get URL report
Pull scan results and reputation for a URL using its base64 encoded identifier.
Get votes
Pull community votes for a file, URL, domain, or IP to gauge peer consensus.
Rescan file
Trigger a new analysis for a previously submitted file to get updated detection results.
Scan URL
Submit a URL for scanning to obtain an analysis ID for later report retrieval.
Search objects
Search for files, URLs, domains, or IPs in the database using specific query terms.
Upload file
Submit binary file content to VirusTotal for a full multi engine analysis.
Add VirusTotal Comment
Tool to add a comment to a virustotal resource (file, url, domain, or ip address). use after analyzing a resource to leave contextual feedback. provide exactly one identifier per call.
Get IP Address Relationships
Tool to retrieve objects related to a specific ip address by relationship type. use when you have an ip and need to explore connected files, urls, or other entities.
Get IP Address Report
Tool to retrieve the analysis report of an ip address. use when you need detailed insight on an ip's reputation, asn, country, and analysis stats.
Get VirusTotal Metadata
Tool to retrieve virustotal metadata. use when you need to list all available api endpoints with methods, summaries, and urls.
Search VirusTotal
Tool to search for objects in the virustotal database. use when locating files, urls, domains, ips, or comments matching a query. supports pagination with limit and cursor.

21 actions · scroll to see them all

Frequently asked questions

Ceven manages rate limits by implementing a request queue that respects the specific tier of your VirusTotal API key. For users on the public API, we throttle requests to ensure you do not hit the hourly or daily quotas which would cause your security workflows to fail. If a rate limit is hit, the agent enters a back off period and retries the request automatically once the window resets. You can monitor your current quota usage within the Ceven connection settings page. We recommend the premium API for enterprise users who need to process thousands of indicators per hour without interruption or delay in their incident response pipeline.
Yes. While VirusTotal provides the intelligence, Ceven provides the action. You can build a workflow where the agent pulls an IP report and checks if the detection count exceeds a specific threshold, such as five or more engines marking it as malicious. If that condition is met, Ceven can then call the API of your firewall or cloud security group to add that IP to a block list. This creates a closed loop system where threat intelligence leads directly to mitigation without a human having to manually update a policy or move a ticket through a review stage.
Scanning a URL is an active request. When you use the scan action, Ceven tells VirusTotal to go out and analyze that specific link right now, which returns an analysis ID. You then use that ID to pull the report once the scan is complete. Getting a URL report is a passive request. It asks VirusTotal for the most recent existing data it already has on that URL. If the URL has never been seen before or the data is too old, the report might be empty or outdated. For high stakes security triage, we recommend scanning first and then pulling the report.
No. Ceven acts as a secure conduit between your storage and the VirusTotal API. When you trigger a file upload, the agent streams the binary data directly to the VirusTotal endpoints using a secure connection. We do not cache the files on our own servers or store them in the workflow history. Only the resulting file hash and the analysis reports are kept in the conversation context so the agent can reason about the threat. This ensures that sensitive binaries are not duplicated across multiple platforms and reduces the risk of accidental exposure within your workflow logs.
Absolutely. Ceven can be configured to periodically pull both the votes and the comments for a specific set of indicators. Because VirusTotal is a collaborative platform, security researchers often post detailed notes about a new campaign before the antivirus engines have updated their signatures. The agent can monitor these comment streams and alert you the moment a known researcher identifies a file as part of a specific APT group. This allows you to move from reactive scanning to proactive hunting by leveraging the collective intelligence of the global security community through automated polling.
The agent uses the relationship tools to build a map of an attacker's infrastructure. For example, if you start with a malicious IP, the agent pulls the IP relationships to find all domains hosted on that IP. It then iterates through those domains to see if any of them have associated files or other linked IPs. This recursive lookup allows Ceven to uncover a whole network of malicious assets from a single starting point. You can tell the agent to list every related entity it finds and then run a reputation check on each one to find other hidden threats.
Yes. You can build a verification step into your workflow. Instead of trusting a single engine, you can instruct the agent to only trigger a block action if a certain percentage of engines agree on the verdict. Additionally, the agent can check the community votes. If a file has a few detections but the community has voted it as harmless, the agent can flag the result for human review instead of automatically blocking it. This prevents critical business tools from being taken offline due to a single overly aggressive antivirus engine marking a custom internal script as suspicious.
VirusTotal has specific size limits for standard API uploads. For very large files, the API requires a special upload URL that supports larger binaries. Ceven handles this complexity by first requesting the upload URL from VirusTotal and then streaming the file in chunks. However, you should be aware that extremely large files may take longer to process and the analysis report might not be available immediately. The agent will handle the waiting period by polling the analysis ID until the final report is ready for the agent to read and summarize for you.

Alternatives to Virustotal

Other tools that solve a similar problem. Ceven supports these too, so you can switch or run more than one at once.

CrowdStrike logoCrowdStrikeSentinelOne logoSentinelOneAny.Run logoAny.Run

Try Ceven on your stack

Plug Ceven on top of the tools you already run. Connect Virustotal and the rest of your stack, describe the outcome, and its agents handle the work end to end, days of it in minutes.

Get started for free