Switchy
Sign up
otherapi_key

Virustotal

VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content using multiple antivirus engines and website scanners.

Verdict

The VirusTotal MCP lets your team scan files, URLs, domains, and IP addresses for malware and security threats without leaving Switchy. @mention it to check hashes against 70+ antivirus engines, pull domain reputation reports, trace IP relationships, or review community comments on suspicious resources. Security teams use it to triage alerts in Slack threads; DevOps engineers validate third-party dependencies before deployment. You'll need a VirusTotal API key (free tier allows 500 requests/day; paid plans lift that cap). The MCP exposes 16 tools covering file analysis, URL scanning, domain lookups, and voting on verdicts.

Common use cases

  • Triage phishing URLs flagged in support tickets
  • Validate file hashes before deploying builds
  • Investigate suspicious domains from firewall logs
  • Review malware verdicts and community comments
  • Map IP address relationships during incident response

Integration

Vendor
Virustotal
Category
other
Auth
API_KEY
Tools
16
Composio slug
virustotal

Tools

  • Add VirusTotal Comment

    Tool to add a comment to a virustotal resource (file, url, domain, or ip address). use after analyzing a resource to leave contextual feedback. provide exactly one identifier per call.

  • Add Vote

    Tool to add a vote (harmless/malicious) to a virustotal resource. use after reviewing analysis results to submit your verdict.

  • Get Analysis Report

    Tool to retrieve the analysis report of a file or url submission. use after obtaining an analysis id to fetch its detailed report.

  • Get comments

    Tool to retrieve the latest comments on a virustotal resource. use when you need to review user-generated comments for a file, url, domain, or ip after obtaining its identifier.

  • Get Domain Relationships

    Tool to retrieve relationship objects for a given domain. use when you have a domain and need to explore its related entities.

  • Get Domain Report

    Tool to retrieve the analysis report of a domain. use when you need detailed insight on a domain's reputation and analysis stats.

  • Get File Report

    Tool to retrieve the analysis report of a file. use when you have a file's hash and need detailed scan metadata.

  • Get IP Address Relationships

    Tool to retrieve objects related to a specific ip address by relationship type. use when you have an ip and need to explore connected files, urls, or other entities.

  • Get IP Address Report

    Tool to retrieve the analysis report of an ip address. use when you need detailed insight on an ip's reputation, asn, country, and analysis stats.

  • Get URL Report

    Tool to retrieve the analysis report of a url. use when you have a url identifier (base64-url without padding) and need detailed scan results, reputation, and metadata.

  • Get VirusTotal Metadata

    Tool to retrieve virustotal metadata. use when you need to list all available api endpoints with methods, summaries, and urls.

  • Get Votes

    Tool to retrieve votes on files, urls, domains, or ip addresses. use when you need to view community votes for a given object.

  • Rescan File

    Tool to re-analyze a previously submitted file. use when you need updated analysis results after an initial scan.

  • Scan URL

    Tool to submit a url for scanning. use when you have a url and need to submit it to virustotal to obtain an analysis id for later retrieval.

  • Search VirusTotal

    Tool to search for objects in the virustotal database. use when locating files, urls, domains, ips, or comments matching a query. supports pagination with limit and cursor.

  • Upload File

    Tool to upload a file for scanning. use when you have binary file content ready to submit for virustotal analysis.

Setup

Setup guide

  1. 11. Go to your VirusTotal account dashboard and generate an API key under Settings > API Key (create a free account if you don't have one). 2. In Switchy, open your workspace settings and navigate to Integrations > Add MCP. 3. Select VirusTotal from the catalog and paste your API key into the authentication field. 4. Click Connect and wait for the green confirmation banner. 5. Open any Space and type '@VirusTotal get file report' followed by a SHA-256 hash to test the connection. 6. If the MCP returns scan results, setup is complete. 7. To invoke other tools, @mention VirusTotal and describe your task in plain language—the AI will map your request to the correct tool (e.g. 'check this domain for malware' triggers Get Domain Report). 8. Free-tier keys hit rate limits quickly; upgrade to a premium plan if your team runs frequent scans.

What teammates see: by default, memories from Virustotal are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.

Works well with

Top models

Compatibility data appears once enough Spaces have used this MCP together with a given model.

How Switchy teams use it

Not enough Spaces yet to publish anonymised usage stats (we require ≥ 50 Spaces per week).

Starter prompts

Scan Suspicious URL

@VirusTotal analyze this URL for malware: https://example.com/download.exe. Show me how many engines flagged it and the overall verdict.
Open in a Space →

Check File Hash

@VirusTotal get the file report for SHA-256 hash a3c5e8d2f1b4e9a7c6d3f2e1b8a5c4d7e9f2a1b3c5d8e7f4a2b1c9d6e3f5a8b2. List all detections.
Open in a Space →

Domain Reputation Lookup

@VirusTotal retrieve the domain report for suspicious-site.net. Include reputation score and any malicious activity flags.
Open in a Space →

Explore IP Relationships

@VirusTotal show me all files and URLs related to IP address 203.0.113.45. I need to trace potential malware distribution.
Open in a Space →

Add Malware Verdict

@VirusTotal vote this file hash as malicious: b4e9a7c6d3f2e1b8a5c4d7e9f2a1b3c5d8e7f4a2b1c9d6e3f5a8b2c1d4e7f9a3. We confirmed it's ransomware.
Open in a Space →

Example outputs

Illustrative - representative of the model's voice and quality, not literal recordings.

Prompt

@virustotal check the reputation of example-malware.com and show me the latest detection stats

Output

Based on VirusTotal's domain report, example-malware.com has been flagged by 42 of 89 security vendors. Last analysis date: 2024-01-15. Categories include phishing (18 vendors) and malware distribution (24 vendors). The domain has 3 known subdomains and 127 communicating files in the past 30 days. Reputation score: -85 (malicious). This illustrative example shows how the MCP surfaces aggregated threat intelligence from multiple antivirus engines and URL scanners.

Notes

This example uses the Get Domain Report tool to fetch reputation data. Requires a valid API key with domain lookup permissions. Detection counts and categories reflect real-time vendor updates—results change as threat intelligence evolves. Free-tier API keys are rate-limited to 4 requests/minute.

Prompt

@virustotal I analyzed suspicious-file.exe (SHA256: a1b2c3...) and confirmed it's a false positive—add a comment explaining it's a legitimate installer

Output

Comment successfully added to file resource a1b2c3d4e5f6... on VirusTotal. Your note 'Confirmed false positive: legitimate installer for XYZ Software v2.1, signed by trusted publisher' is now visible to the community. This illustrative example demonstrates how the MCP enables collaborative threat analysis by letting you contribute context to shared intelligence feeds.

Notes

This example uses the Add VirusTotal Comment tool to post feedback on a file hash. Requires authentication and assumes you've already retrieved the file's analysis. Comments are public and permanent—use carefully in production environments. Side-effect: your account name appears alongside the comment in VirusTotal's interface.

Prompt

@virustotal pull all related URLs and communicating files for IP address 203.0.113.45, then summarize any patterns suggesting botnet activity

Output

Retrieved 23 related URLs and 14 communicating files for IP 203.0.113.45. Analysis shows: 18 of 23 URLs share identical URI path structure (/api/c2/beacon), 11 files exhibit common packer signatures (UPX), and 9 URLs were first seen within a 72-hour window in December 2024. Pattern suggests coordinated command-and-control infrastructure. This illustrative example shows how the MCP's relationship data enables the AI to identify behavioral indicators across linked resources.

Notes

This example combines the Get IP Address Relationships tool with AI reasoning to detect threat patterns. Relationship queries can return large datasets—responses may be truncated or paginated depending on API tier. Requires IP lookup permissions. Use this workflow when investigating infrastructure rather than isolated indicators.

Use-case deep-dives

Security incident triage for support teams

When VirusTotal MCP speeds up malware ticket triage

A 6-person customer support team handling 40+ security tickets daily needs to quickly assess whether a flagged file or URL is actually malicious before escalating to engineering. The VirusTotal MCP wins here because the Get File Report and Get Domain Report tools pull multi-engine scan results in seconds, letting support agents make confident triage calls without waiting on internal security tooling. The Add Vote and Add Comment tools let the team build institutional knowledge directly in VirusTotal, so future tickets referencing the same hash skip the research step entirely. This setup breaks down if your team handles proprietary binaries or internal-only URLs—VirusTotal's public database won't have coverage, and you'll need a private sandbox instead. If 80% of your tickets involve public-facing threats (phishing links, known malware families), this MCP cuts triage time in half.

Threat intel research for small SOC

How a 3-person SOC uses this for domain pivoting

A startup's 3-person security operations team investigates a suspicious domain flagged by their SIEM and needs to map its infrastructure before deciding whether to block it network-wide. The Get Domain Relationships and Get IP Address Relationships tools let them pivot from one indicator to connected files, subdomains, and hosting IPs without leaving Switchy, building a threat graph in minutes instead of hours of manual lookups. The Get Comments tool surfaces context from the security community—if another analyst already documented this as a false positive or part of a known campaign, the team saves the investigation cycle. This approach hits limits around 10+ pivots per incident; VirusTotal's API rate limits and the MCP's 16-tool scope mean deep infrastructure mapping still needs dedicated threat intel platforms. For initial scoping and deciding whether to escalate, this MCP is the right first move.

Phishing response for IT helpdesk

When this MCP handles employee-reported phishing URLs

A 12-person IT helpdesk at a 200-employee company processes 5-10 employee-reported phishing emails per week and needs a repeatable workflow to verify URLs before sending company-wide warnings. The Get Analysis Report tool lets helpdesk staff submit a suspicious link and retrieve its scan verdict in under a minute, while the Add VirusTotal Comment tool documents internal handling notes ("reported by finance team, blocked at proxy") for audit trails. This beats forwarding every report to a security vendor or waiting on manual sandbox analysis. The workflow breaks if employees report internal application URLs or password-reset links from legitimate SaaS tools—VirusTotal flags anything it hasn't seen before, creating false-positive noise. If your phishing reports are 90% external threats (fake invoices, credential harvesting), this MCP turns a 20-minute investigation into a 2-minute ticket close.

Frequently asked

What does the VirusTotal MCP do in Switchy?

It lets your team scan files, URLs, domains, and IP addresses for malware and security threats without leaving Switchy. You can retrieve analysis reports, check reputation scores, add comments or votes on resources, and explore relationships between domains or IPs. All 16 tools pull data directly from VirusTotal's threat intelligence database, so your AI agents can answer security questions in real time.

Do I need a VirusTotal API key to connect this MCP?

Yes. The integration uses API key authentication, so you'll need a VirusTotal account and an active API key. Free-tier keys work but have rate limits—if your team runs frequent scans or bulk lookups, you'll hit those caps quickly. Premium keys unlock higher quotas and faster response times. Paste the key into Switchy's connection flow and you're live.

Can the VirusTotal MCP scan files I upload to Switchy?

No. The MCP retrieves existing analysis reports by hash, URL, domain, or IP—it doesn't submit new files for scanning. If you need to scan a fresh file, upload it to VirusTotal's web interface or API first, then use the MCP to fetch the report by hash. The integration is read-heavy: it pulls threat intel, not generates it.

How is this different from using VirusTotal's web UI?

The MCP brings VirusTotal data into your team's AI workspace, so you can query threat intel alongside Slack threads, GitHub issues, or Notion docs. Instead of tab-switching to check a suspicious URL, your agent fetches the report inline. You also get programmatic access to relationship graphs and comment threads, which the web UI buries in separate tabs.

Who on my team should connect the VirusTotal MCP?

Whoever owns your VirusTotal account and has the API key. Security engineers or IT admins typically hold those credentials. Once connected, any Switchy user in your workspace can invoke the tools—no per-seat API keys required. Just make sure your VirusTotal plan's rate limits can handle the team's query volume.

Data last verified 607 hours ago.Sources aggregated hourly to weekly. See docs/architecture/model-directory.md.