Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Script VirusTotal


  • Please log in to reply
4 replies to this topic

#1 Chapi_chapo

Chapi_chapo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 28 September 2016 - 03:26 AM

Hi there!

 

After talking to Aura, Grinler and reading this topic, I'm going to create a product topic for a tool I have created and that might be useful for the "helpers".

Therefore I think that this is the sub-forum where this topic belongs, but if that is not, please be free to contact me or to move this topic at the right place.

 

 

Let's start with a little overview of the tool:

 

During the disinfection of a computer, you need to find what is doing all that mess, to do that, you use different tools that list a lot of computers files.

Thoses tools (OTL, FRST, ZHPDiag, CF, ...) are pretty useful, they find a lot of files that might be corrupt.

But they mostly don't have a database big enough to tell you if they really are corrupt, therefore they actually write their MD5 in their logfile.

Then, when you read the logfile, I you suspect something, you have to check on VirusTotal every MD5 to see if they match with a malware or a safe file.

 

Therefore I've developed a tools that take a logfile as input, use VirusTotal API to get the report for each one of them, and list the results as output.

 

Finally, you only need a VirusTotal API key and a few seconds to analyze a long report that can contains 50 different md5s.

 

 

Where can I found it?

The first goal of the project was to build this for a Linux environment. Therefore it's in Python and free.

 

But as a majority of the helpers, the real users, are on Windows, I've made a version that don't need a Python environment.

You can download it from here (it's just the Python script that have been "compiled" into an exe with py2exe).

 

 

How can I install it?

For Linux and Mac users, please refer to the GitHub page or contact me.

 

For Windows users:

  • First you will need a VirusTotal public ApiKey, you can have one if you sign up on there web site. If you don't want to create an account, contact me and I will lend you mine. :)
  • Obviously you need to download the project.
  • It is composed of an executable file, and a reg file.
  • The executable contains the Python code.
  • The reg file create two new keys in the register in order to be able to execute the script just by using a contextual menu while using right click on a log file.
  • After merging the reg file with your registry, you have to go to HKEY_CLASSES_ROOT\txtfile\shell\VT_Scan\command and edit the value to add the path to the executable and your apikey.
  • That's it!

 

How can I use it?

There are different way, but the easiest is:

  • Right click on a .txt file and choose "Analyze with VT_Scan".
  • After a few second, a logfile will open in your default browser.

For the other ways, please refer to the GitHub page or contact me.

 

 

To conclude:

I think that this tool can save a lot of time for the helpers. Therefore I really want everybody to be able to use it, and for that, they have to know that this exist and that is the first purpose of this message.

So just ask me if you need any other details.

 

The second purpose of this message is that this tools can be improve, but for that, I need your feedback, to fit to the real users needs.

 

Thanks ;)

 

Xavier



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 28 September 2016 - 02:13 PM

It looks like your script does not rate-limit its requests (except when there's an error).

 

For free API keys, VirusTotal allows 4 requests per minute. That's one every 15 seconds.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Chapi_chapo

Chapi_chapo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 28 September 2016 - 03:10 PM

Hello :)

 

First, thank you for your answer :)

 

 

It looks like your script does not rate-limit its requests (except when there's an error).

For free API keys, VirusTotal allows 4 requests per minute. That's one every 15 seconds.

Exact! If you look at the history, you will see that it used to do a request every 15sec, but I've removed that behavior because that is not necessary.

 

What you are saying is true, VirusTotal allows 4 requests per minute. But those requests can contain as mush different md5 as you want.

Therefore, and I've already tried it, it is possible to send a request with 1457 different md5 and you will obtain the result for each one of them.

The only real limit is the number of search per day that is approximatively 4500 search/day.

 

Please, be sure to test it, because, it works!

 

Xavier



#4 CatSeven

CatSeven

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:France
  • Local time:11:24 PM

Posted 29 September 2016 - 05:02 AM

Hi there !

 

@ Didier Stevens

Please let me tell you the story of VT_Scan.

At the beginning, VT_Scan reports were not sorted, and it was so slow !

338 seconds to test 83 MD5 lines, it was a shame. :hysterical:

Other persons and I told him, and he modified his code to make it really faster, and his reports easier to read.

 

Today, congratulations to Xavier for his so useful tool.

 

A suggestion for English speakers:

You can translate in english the Registry the VT_Scan key default string value with this regfile :

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\txtfile\shell\VT_Scan]
@="Analyze with VT_Scan"


Best regards

 

  bye1.gif


Edited by CatSeven, 29 September 2016 - 05:47 AM.


#5 Chapi_chapo

Chapi_chapo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 04 October 2016 - 06:35 AM

Hi,

 

I've got sad news...

 

VirusTotal recently changes its politics concerning the use of its public API:

 

resource: a md5/sha1/sha256 hash will retrieve the most recent report on a given sample. You may also specify a scan_id (sha256-timestamp as returned by the file upload API) to access a specific report. You can also specify a CSV list made up of a combination of hashes and scan_ids (up to 4 items with the standard request rate), this allows you to perform a batch request with one single call.

The bold part wasn't there 3 days ago, and was allowing the script to request all the items in one time...

 

But that's no longer possible...

 

I will then rollback to a previous version scanning 4 * 4 items per minute. Maybe also make something about using multiple API key at a time...

 

If some of you are still interested, please contact me.

 

Xavier






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users