How ScanTotal Detects Malware URLs That Other Scanners Miss

Last week, I tested a URL that was actively distributing malware. It was a raw IP address on a non-standard port, hosting executable files with filenames matching a known botnet family. A well-known free scanner checked it against its database and returned "no threats found." That wasn't good enough.

The URL was new enough that no database had catalogued it yet. But everything about it screamed malware: the IP address, the port, the path structure, the file being served. A human security analyst would have flagged it in seconds. So why couldn't a scanner?

That question is what drove us to build something different.

The Problem With Database-Only Scanning

Here's how most free URL scanners work: you submit a URL, they check it against a database of known threats, and they tell you whether it's in the database or not. That's it.

The approach has an obvious blind spot. Cybercriminals create new URLs constantly. A malware distribution server might only be active for a few hours before moving to a new address. In that window, it's invisible to every database-only scanner. You scan it, get a clean result, visit it, and get infected.

Database lookups are necessary — they catch the known threats quickly and reliably. But they're not sufficient on their own. You need something that can look at a URL that's never been reported and still determine whether it's dangerous.

Our Solution: Three Engines, One Verdict

ScanTotal doesn't rely on a single detection method. Every URL you submit is analysed by three independent engines running simultaneously. Their results are combined to produce a comprehensive verdict that catches threats no single engine could detect alone.

Engine 1: URL Safety Analysis

We start by examining the URL itself — before contacting any server or checking any database. We look at the structure of the address for patterns that are strongly associated with malicious infrastructure.

Is it using a raw IP address instead of a proper domain name? Is it on an unusual port? Does the path contain directories like /bins/ or /bot/ that are commonly used to distribute malware? Does the file extension suggest an executable being served from a web URL?

Each suspicious characteristic adds points to a risk score on a 0–100 scale. A legitimate website like google.com scores near zero. A raw IP address serving an ELF binary from a /bins/ path scores near 100. The score is colour-coded — green, amber, orange, or red — so you can see at a glance how suspicious the URL is.

This engine catches many threats instantly, with no external calls needed. But some dangerous URLs look perfectly normal on the surface. That's where Engine 2 comes in.

Engine 2: Active Analysis (Deep Probe)

This is where ScanTotal goes further than most free tools. Instead of just looking at the URL, we actually contact it and examine what comes back.

Our Active Analysis engine uses a smart multi-method probing approach. It starts with a lightweight HEAD request to check response headers. If the server responds, it makes a GET request with a range header to fetch just the first 32 bytes of the content. Those 32 bytes are enough to determine the actual file type using binary signature analysis — a technique called "magic byte" detection.

Why does this matter? Because a malware distribution server might claim it's serving a web page in its headers, but the actual content is a Linux executable. Our scanner catches that mismatch.

We also check if the server behaves differently depending on how it's contacted. Some malware servers only respond to download tools like wget, and return nothing to regular browsers. That's called selective serving, and it's a strong indicator of malware distribution. If our standard requests get blocked but a wget-style request succeeds, that's a major red flag.

The engine also scans filenames in the URL path against a database of known malware family names. Botnets like Mirai, Sora, Gafgyt, Mozi, and Tsunami use recognisable naming patterns in their distribution URLs. If a filename matches, we flag it immediately.

Finally, we follow any redirect chains (up to five hops) to see where the URL actually leads, and we analyse server headers for signs of suspicious infrastructure — things like Python HTTP servers or HFS file servers, which are commonly used as quick-and-dirty malware hosts.

Engine 3: Google Safe Browsing

The third engine queries Google's Safe Browsing API — one of the world's largest databases of known phishing pages, malware sites, and deceptive content. It's the same database that powers the safety warnings in Chrome, Firefox, and Safari.

This engine is excellent for catching well-known threats that have already been reported and catalogued. It complements our heuristic and active analysis engines, which focus on detecting threats that are too new for any database.

How the Combined Scoring Works

Each engine produces its own assessment. The final verdict is determined by combining all three signals:

• No Threats Found (green): All engines report clean results with low risk scores.
• Use Caution (amber): Some suspicious characteristics detected, but nothing confirmed as malicious. Worth checking carefully.
• High Risk Detected (orange): Multiple warning signs across engines. The URL has characteristics strongly associated with malicious infrastructure.
• Threats Detected (red): Confirmed malicious content, executable files, known malware family indicators, or positive database matches. Do not visit this URL.

The key insight is that signals combine. A URL might score 60 on the heuristic engine (suspicious structure) and 50 on active analysis (malware family name detected). Neither score alone crosses the "threats detected" threshold. But together, with a confirmed malware family name, the combined assessment correctly escalates to red.

This combined approach catches threats that any single engine would miss.

What This Means for You

If you're using a free URL scanner, you deserve more than a database lookup. You deserve a tool that actually examines what a URL serves, that can detect brand-new threats, and that gives you a detailed breakdown of exactly what it found.

That's what we built. ScanTotal's three-engine system is proprietary technology, purpose-built for this scanner. It runs on Cloudflare's global network, so it's fast regardless of where you are. And it's completely free — no registration, no account, no limits.

Next time you receive a suspicious link in a text message, email, or social media DM, don't just check if it's in a database. Let ScanTotal actually probe it and tell you what's really there.