So you just found malware running on one of the systems in your enterprise. Do you upload it to virustotal.com to see how many antivirus vendors detect the malware? The answer to this question is an overwhelming NO! Don't do it. The temptation is understandable, but just what are you giving away to your attacker?
Anything you upload to virustotal.com (or any other public malware site for that matter) will eventually be shared to other antivirus vendors. What happens if the attacker created a sample for your environment, suppose with a unique hash? Suppose that you work at SuperMegaBank and you have been targeted by Eastern European bad guys. Because they don't like being caught, they create a new piece of malware, with a unique hash, just for you. When you send this to any public site, it will eventually get back to antivirus vendors (in fact, eventually all of them). Any decent attacker has a lab with a number of AV products. When the antivirus vendors incorporate your sample into the updated definitions, your attacker will know they've been found out. Unfortunately for them, by this time you have removed the malware from your environment and they are back to doing initial access operations.
The more immediate concern is that most sites have a search feature. Using this feature, anyone with API access (or in some cases just a web browser) can determine whether a given sample has ever been submitted or analyzed. The problem here is that as soon as you upload the sample, anyone searching by hash can determine that the file has been analyzed. This of course includes your attacker. Obviously, if your attackers know that you are onto them, that's not a good thing. They may change out their tools and/or go to ground. That leaves you holding the bag, trying to find attackers that are now doing their best to hide from you.
The only question now is "do attackers really do this?" I can't say for sure, but I've observed what I consider to be some pretty strong circumstantial evidence. I've worked several incident response cases where the first responders uploaded samples to virustotal.com. In every one of these cases, the attacker went to ground. This left us with a much harder task of detection and remediation than we would have experienced if we'd only kept the sample to ourselves. Is virustotal.com a useful tool? Absolutely, I love it. But is it appropriate for uploading samples in an incident response? Absolutely not. Period. Practice good OPSEC.