During network monitoring or routine inspection, you may notice traffic flowing from your Security Analytics (SA) platform towards VirusTotal. This activity can sometimes raise questions about whether it is legitimate or indicative of a potential issue.

In most cases, this is expected and normal behavior — provided that you have VirusTotal integration enabled in your Security Analytics configuration.

When VirusTotal integration is active, Security Analytics automatically sends specific data to VirusTotal for further threat intelligence analysis. This data may include:

• Extracted files from network traffic or endpoints

• MD5 file hashes associated with suspicious files or activities

• URLs that are flagged for potential malicious behavior

Disabling VirusTotal integration will prevent further communication with the service