You paste a suspicious link or upload a file, the page returns a wall of panels, numbers, engine names and coloured badges, and somewhere on that page is the answer to the only question you actually care about: is this thing safe or not? Security scan reports are genuinely useful, but they are built for analysts first and worried humans second. This guide unpacks what you are actually looking at on a VirusTotal, urlscan.io or ScanTotal report, and how to translate it into a decision in about a minute.
The short version: no single number on a scan report is the answer. What matters is the pattern across a few different checks, and most of the confusion people run into comes from over-weighting one signal.
The Three Kinds of Signals a Report Combines
Every modern scan report, whether it comes from VirusTotal, urlscan.io, Hybrid Analysis, or ScanTotal, is really a fusion of three different kinds of checks. Once you know which part of the report is doing which job, the whole page gets much easier to read.
1. Reputation lookups. The file hash or URL is checked against databases of things that have already been seen and labelled. On VirusTotal this is the famous row of antivirus engine names and verdicts. Reputation is fast and extremely accurate for known threats, but it has a blind spot: anything new is unseen, so zero detections does not automatically mean safe.
2. Structural or heuristic analysis. The scanner looks at the shape of the thing itself, a URL with a raw IP address on a non-standard port pointing to a /bins/ directory looks suspicious regardless of whether any database has logged it yet. A file with certain structural red flags behaves the same way. Heuristics fill the time gap while fresh threats haven't made it into the reputation databases.
3. Behavioural or live analysis. The scanner actually executes the file in a sandbox or fetches the URL and watches what happens. Behavioural reports are the richest but also the slowest, because something has to actually run. Hybrid Analysis and urlscan.io are well known for this kind of output; ScanTotal's Active Analysis performs live probing on URLs without running user code.
When you look at a report that shows "0/70 engines detected, but risk score 80/100 and three behavioural red flags," those three signals are not contradicting each other. They are telling you a consistent story: nobody has reported this yet (reputation blind spot), but the shape and behaviour look bad (heuristic + behavioural warning). That is exactly the kind of pattern a fresh malicious URL produces.
Reading the Detection Count (the "X out of 70" Number)
The single most-recognised number on a security report is the detection ratio, something like "3 / 70" or "0 / 72." This is the count of antivirus or URL-reputation engines that flagged the item out of the total that were queried. It is enormously useful, and it is also the single most over-interpreted number in security.
0 detections. Not yet known to be bad. Very common for fresh files or URLs. Do not read this as "confirmed safe." Pair it with heuristic and behavioural signals.
1-2 detections. Often a false positive, especially if the flagging engines are ones with a reputation for aggressive generic rules. Legitimate installers, PowerShell scripts and developer tools trip small numbers of engines regularly. The VirusTotal community tab (the "Comments" and the detailed engine list) is the right place to sanity-check.
3-10 detections. The grey zone. At this point, at least some engines with independent classification pipelines are agreeing, which is meaningful. Look at what the engines are calling it: if several name a specific malware family, treat it seriously.
10+ detections. The community has broadly agreed this is malicious. The higher the number, the more confident the call. Treat the item as hostile and move on.
VirusTotal's own documentation is explicit about this nuance, it is a meta-scanner aggregating many independent engines, and the count is input to judgement, not a final verdict. The official VirusTotal results documentation is worth a read if you want the technical detail.
Reading a URL-Scan Report (urlscan.io Style)
URL-focused reports like urlscan.io package a different set of signals because the target is a live page, not a file. The key panels to look at:
- Final URL and redirect chain. You submitted one URL, but what did the page actually take you to? A redirect chain of ten hops ending on a different country's domain is a common pattern for phishing and malvertising.
- Screenshot. What does the page look like to a human visitor? A login form claiming to be Microsoft on a domain that is not Microsoft is an instant red flag.
- Server / hosting details. IP, ASN, country, hosting provider. Legitimate brands have consistent hosting patterns; a banking login page served from a residential ISP in a country with no business presence is suspicious.
- HTTP transactions. What the browser fetched, scripts, iframes, POST requests. Useful for spotting phishing kits, skimmers and crypto-drainers.
- Brand flag / verdict. Many URL scanners detect brand impersonation (e.g. a page mimicking PayPal, Microsoft, AusPost) and flag it directly. A high-confidence brand flag on a non-matching domain is almost always a phishing hit.
urlscan.io in particular has a very rich public-scan interface with a community feed of recent scans, which is useful context but also written primarily for SOC analysts. The urlscan FAQ explains the result fields in depth.
Reading a File-Scan Report (Hashes, Sandboxes and Behaviours)
File reports are even denser because a single binary can be analysed from many angles. The three sections worth scanning first:
Hash and file-type header. The SHA-256 and SHA-1 hashes are the file's unique digital fingerprint. The file-type detection (PE executable, Office macro document, Mach-O, ISO, LNK) tells you what the file really is, not just what its extension claims. Any mismatch between extension and real type is a red flag, a invoice.pdf that is actually a Windows executable is a classic malware disguise.
Behavioural / sandbox report. This is the crown jewel of tools like Hybrid Analysis. When the file is executed in a controlled environment, the sandbox records what it does: files dropped, registry keys written, network connections opened, processes spawned. A sandbox report that shows an "invoice" file opening PowerShell and reaching out to a foreign IP is unambiguous, regardless of whether any AV engine has seen that particular sample yet.
Rules and IoCs. YARA rule matches, MITRE ATT&CK technique tags, and indicators of compromise (IoCs). These connect your sample to broader threat research. If your file matches a YARA rule named malware_family_info_stealer, that is a very specific and serious signal, it means a researcher has seen enough samples of this exact family to write a signature.
Reading a ScanTotal Report
ScanTotal reports are deliberately shorter and written in the style that most home and small-business users need: a single overall verdict at the top, followed by the evidence that led to it. The structure mirrors the three-signal model above:
- Overall Assessment, one colour-coded banner (green, amber, orange, red) reflecting the worst finding across all checks.
- Risk Score, the heuristic score out of 100, plus the specific structural indicators that triggered it. If a URL uses a raw IP on a non-standard port pointing to a
/bins/directory, the indicators list says so in plain words. - Databases Checked, a row per source (Google Safe Browsing, ScanTotal's own reputation, Active Analysis) with a simple "clean," "suspicious" or "detected" status. This lets you see at a glance which of the three signal types is driving the verdict.
- Active Analysis findings, the live-probe notes: content-type mismatches, redirect chains, server headers, malware-naming patterns in the URL path.
- Recommendations, what to do, based on the combined findings.
For the deeper story on how the three engines combine and what each one is good at, we published a companion piece: The Three Layers of URL Safety, Reputation, Heuristics, and Live Probing.
Common Misreadings to Avoid
Two specific mistakes account for most of the confusion people have when they read a scan report.
Treating "0 detections" as a clean bill of health. A new malicious file can sit at 0/70 for hours or even days before the detection community catches up. Reputation is necessary but not sufficient. If you are scanning something because you already suspect it, the suspicion itself is a signal, look at the heuristic and behavioural sections before you relax.
Treating "1/70 detection" as proof of malware. Single detections by aggressive engines on otherwise clean files are genuinely common, especially for niche installers, developer tools, game mods and older legitimate software. Before you call a single detection malware, check which engine flagged it, whether the detection name is a specific family (e.g. Trojan.Win32.FamilyX) or a generic heuristic (e.g. Heur.Suspicious.Gen), and whether the community tab has analyst comments supporting or disputing the call.
A Quick Reading Workflow
If you scan something and are not sure how to read the result, this takes about a minute:
- Start with the headline verdict. Big red banner, high detection count, or explicit "phishing detected"? Trust it and move on.
- If it is borderline, look at the detection ratio. 0 means unknown, not safe. 1-2 means investigate. 3+ means probably real.
- Look at the structural indicators. If the URL has a raw IP, odd port or malware-named path, the heuristic panel will say so plainly. Weight these heavily for unknown URLs.
- Check the behavioural panel if there is one. Sandbox actions and live-probe findings are the last line of defence when reputation is silent.
- Cross-check on a second scanner if the stakes are high, money, credentials, or a business-critical file. VirusTotal for files, urlscan.io for URLs, ScanTotal for a consolidated consumer-friendly read.
The best scan reports in the industry, VirusTotal, urlscan.io, Hybrid Analysis, are extraordinarily valuable resources and ones we rely on ourselves. They are written for professionals, which is right for their audience, and it is why a friendlier first-pass layer is useful on top. Read them as evidence boards rather than yes/no oracles, and a lot of the mystery goes away.