How VT Clue works
VT-Clue is a collection of patterns (called clues) that often correspond to malware (p:20+), goodware (p:0) or in between (p:1+ p:19-). Clues are based on data available in VirusTotal Intelligence / VirusTotal Enterprise, so its users can use the clues to find other samples that share the same clue. Clues are guaranteed to be at least 98% precise over a month's worth of samples.
On the Web, the clues of a given file are available in the details tab at the "Capabilities And Indicators" section. Here is how a clue looks like:
Has section #3 named " .imports " and has a size between 528210.6 and 3995911.8 bytes.
98% of the tens of thousands matching files analyzed in October had positives:20+
Most clues have links both to:
- Individual features (like section name ".imports" above)
- The other files that share the same clue (e.g., the link "98% of the tens…"). This distinction is important because some clues have more than one feature (e.g., section name and file size) and because clues only show the last week's worth of matching samples.
For example, in the image above, .imports. would take you to an Intelligence query for all the files with a section ".imports" (using the most accurate search modifier) whereas 98% of the tens of thousands matching files analyzed in October had positives:20+ would take you to all the samples which share this same clue during the last week using (using the clue_rule: search modifier).
The clue_rule: search modifier is particularly useful to further refine the query with other search modifiers and, for instance, look into the possible false positives of that clue. For example, if the clue says that 99% of the matching files have positives:20+, you can find the remaining 1% searching for [clue_rule:<the ID of the clue> AND positives:0].
All of this data is, as usual, available via the API v3:
- https://www.virustotal.com/api/v3/files/<sha256>/clues?limit=10 (doc) - To find the clues of a given file.
- https://www.virustotal.com/api/v3/clue_rules/<clueID>/files (doc) or https://www.virustotal.com/api/v3/intelligence/search?query=clue_rule:<clueID> to retrieve all the files caught by the clue during last week.