/vt_driver

Python scripts to interact with the VirusTotal API

Primary LanguagePython

Description

'vt_driver.py' is a small Python utility which rely on the VirusTotal API in order to verify if a file was already identified as malware.

API Key: in order to work this script needs a valid VirusTotal API key, which can be obtained by registering yourself here.

Python 2 vs. 3

Starting from version tagged 0.5, this script is meant to be executed using Python version 3.x. Otherwise use the version tagged as 0.4.

Usage

>>> vt_driver.py -f config_file -s malware_sample

The template config/vt_config_template.cfg can be used as a reference for your own config file.

Available configuration parameters are the following:

  • API_KEY: to access the public or private API of VirusTotal a user has to be registered.
  • quiet: if 'false' the script will not report any output.
  • full_report: if 'true' and 'quiet' is set to 'false' then full report from VirusTotal will be printed.
  • hashlib_alg: hashing algorithms (available options are: sha1, sha256 or md5).
  • signature_gen: if 'true' a ClamAV compatibile signature archive will be generated.
  • persistence: if 'true' the script will keep track of the submitted samples on a SQLite Db.
  • name_prefix: a string used as a prefix for the ClamAV signature.

VirusTotal API

The internal behaviour of the script is based on the response code from the VirusTotal API:

  • if the item you searched for was not present in VirusTotal's dataset this result will be 0.
  • if the requested item is still queued for analysis it will be -2.
  • if the item was indeed present and it could be retrieved it will be 1.

Reference: VirusTotal API responses

Public vs Private VirusTotal API

Note that according to the documentation, there are some explicit limits in using the Public API of VirusTotal:

  • The Public API is limited to 4 requests per minute.
  • The Public API must not be used in commercial products or services.
  • The Private API returns more threat data and exposes more endpoints.
  • The Private API is governed by an SLA that guarantees readiness of data.

Required Python modules

  • Objectpath
  • SimpleJSON
  • Python-Magic
  • VirusTotal API

To install all the required modules:

>>> pip install -r requirements.txt

In order to run a quick test it would be easier to install the vt_driver.py script and its required modules in a virtual environment. Two methods are available:

  • If you are using python 2.7.x, it's better to setup a virtual environment through VirtualEnv.
  • If you are using python 3.x, the recommended way to setup a virtual environment is through venv.

References