Why does VirusTotal give different results depending on how I upload the file?

Why does VirusTotal give different results for what appears to be the same file, when the download URL is given ...

https://www.virustotal.com/gui/url/9525d0fe32cebf7933bf84dcfad93811e799c7e8460e374f230a232893a1ba9a

... and when the file hash is given (I download the file from the URL and then upload it to VirusTotal, using my browser) ...

https://www.virustotal.com/gui/file/03a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8

(My expectation is that it also computes the hash from the file found at the download url)

To add to this, the file lives on my system as "Optimizer-16.7.exe", but the VirusTotal GUI, after I upload that file, gives it as "Optimizer.exe"

1 points | by nilslindemann 3 hours ago

2 comments

  • nilslindemann 2 hours ago
    Okay, I figured it out by asking the Google AI (in German): https://share.google/aimode/vEQR65SSttZJkDWax

    (In the case of the direct upload, more programs check the file, indicating that the direct upload may in general be a more reliable method. Though the twelve reports seem to be false positives in this case)

  • _a9 2 hours ago
    The URL scanner doesnt directly scan the file. It checks the URL against other web firewalls and returns stuff like the headers, chain, the sha256 hash of the body (which links to the actual file analysis https://www.virustotal.com/gui/url/9525d0fe32cebf7933bf84dcf...)

    You can see and compare the different vendors of each. File analysis goes to all the antivirus' and does the sandbox stuff and the URL analysis goes to things like Google Safebrowsing, phishing check services, etc

    tldr different systems for URL analysis (web firewall check) & file analysis (antivirus/sandbox check)

    [-]
    • nilslindemann 2 hours ago
      Thx, seems we posted at the same time. AI confirms what you say.