[Mac] 用 VirusTotalApi 套件批次查詢 VirusTotal 的病毒掃瞄結果
有時候會想要批次查詢,某些檔案是否已經記錄在 VirusTotal 裡面,
用來確認產品掃瞄的結果是否有誤報 (false alarm)~
當然少量的話是可以手動上 VirusTotal search 頁面,
直接鍵入 MD5/SHA1 之類的資訊來搜尋,但一直重覆這種手動工作也挺麻煩的…
VirusTotal 本身有提供一些 public API,方便外界查詢,
不過其實沒必要自己寫查詢程式,因為已經有一堆類似的 client 可以使用了,
像我後來找到了 VirusTotalApi 這個用 python 撰寫的 script,
就可以幫助我們完成自動查詢 VirusTotal 的工作了~
1. 註冊 VirusTotal 帳號,取得 API Key
要使用 VirusTotal 提供的 public API,就必須先註冊帳號,才能取得必要的 API key~
先到 VirusTotal 官網,點擊 Join our community 加入會員:
加入之後,要去點一下帳號啟用信中的連結:
帳號啟用後,按下 Sign in 登入:
點擊右上角自己的登入名稱,選擇 My API key:
這邊就可以看到自己專屬的 API key 了:
網頁上也有說明,這種可以免費建立的帳號,可以用的是 Public API key,
因此也只能使用 Public API 提供的功能,
想要更進階/更少限制的功能的話,就得花錢去取得 Private API key 才行囉~
以 public API key 來說,預設一分鐘內只能查詢 4 次,
然後也分別限制了每天和每個月可以查詢的數量~
(當然如果你不嫌麻煩,且又有一堆 email 帳號的話,
是有可能去註冊一堆 VirusTotal 帳號,取得一堆 Public API key 來用…)
2. 安裝 VirusTotalApi
用 pip 安裝 vt 這個套件:
pip install vt
安裝好後,就可以執行 vt 這個程式了 (在我的 Mac 上是安裝在 /usr/local/bin/vt)~
執行後它提醒我們要在 ~/.vtapi 檔案裡設定 API key:
testuser@localhost ~ $ vt No API key provided or cannot read ~ /.vtapi. Specify an API key in vt.py or in ~ /.vtapi. Format: [vt] apikey=your-apikey-here type=public #private if you have private api intelligence=False # True if you have access For more information check: https://github.com/doomedraven/VirusTotalApi
在 VirusTotalApi 官網上,是有提到它會去找不同路徑的設定檔,
除了 ~/.vtapi 以外,也會去找 ~/vtapi.conf,
以及目前目錄下的 .vtapi 和 vtapi.conf,因此要設定在哪個檔案裡就看自己的需求,
如果有一堆 Public API key 的話,應該是可以在一堆目錄下,分別有各自的 .vtapi 或 vtapi.conf,
但像我只有一組 Public API key 的話,設定在 ~/.vtapi 是最方便的了:
[vt] apikey=123456789012345678901234567890123456789012345678901234567890abcd type=public intelligence=False
3. 使用 vt 來查詢
假設我想要查某個 hash (MD5/SHA1/SHA256),
是否已經在 VirusTotal 的資料庫裡面,可以用 vt -s <hash>~
下例是查詢 SHA1 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686 的結果,
可以看到在 57 家防毒軟體中,有 31 家標示為 Positives (代表有病毒),比例是蠻高的:
testuser@localhost ~ $ vt -s 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686 Scanned on : 2016-05-14 07:46:02 Detections: 31/57 Positives/Total Results for MD5 : d70234048b3a0b00ab4cc3c1a6fdad97 Results for SHA1 : 3b2ffc3a4b565ffd003f2db1a77e500ee5427686 Results for SHA256 : ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84 Permanent Link : https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/
如果想知道是哪幾家判定成有病毒的話,可以加上 -v (verbose) 的選項,
會將各家防毒軟體的掃瞄結果也附上來:
testuser@localhost ~ $ vt -s -v 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686 Scanned on : 2016-05-14 07:46:02 Detections: 31/57 Positives/Total Results for MD5 : d70234048b3a0b00ab4cc3c1a6fdad97 Results for SHA1 : 3b2ffc3a4b565ffd003f2db1a77e500ee5427686 Results for SHA256 : ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84 Verbose VirusTotal Information Output: +----------------------+-----------+------------------------------------+---------------+--------------+ | Vendor name | Detected | Result | Version | Last Update | +======================+===========+====================================+===============+==============+ | ALYac | True | W97M.Downloader.CBJ | 1.0.1.9 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | AVware | True | LooksLike.Macro.Malware.d (v) | 1.5.0.42 | 20160511 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Ad-Aware | True | W97M.Downloader.CBJ | 3.0.2.1015 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | AhnLab-V3 | True | W97M/Downloader | 2016.05.14.00 | 20160513 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Arcabit | True | HEUR.VBA.Trojan.e | 1.0.0.680 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Avast | True | VBA:Downloader-BQR [Trj] | 8.0.1489.320 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Avira | True | W2000M/Dldr.AM.85470 | 8.3.3.4 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Baidu | True | VBA.Trojan-Downloader.Agent.afd | 1.0.0.2 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | BitDefender | True | W97M.Downloader.CBJ | 7.200 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | CAT-QuickHeal | True | W97M.Dropper.XF | 14 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | ClamAV | True | Doc.Dropper.Agent-1405642 | 0.99.2.0 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Cyren | True | W97M/Adnel.A.gen | 5.4.16.7 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | ESET-NOD32 | True | VBA/TrojanDownloader.Agent.BBC | 13487 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Emsisoft | True | W97M.Downloader.CBJ (B) | 3.5.0.656 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | F-Prot | True | W97M/Adnel.A.gen | 4.7.1.166 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | F-Secure | True | W97M.Downloader.CBJ | 11.0.19100.45 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Fortinet | True | WM/TrojanDownloader.BBC!tr | 5.4.233.0 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | GData | True | W97M.Downloader.CBJ | 25 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Ikarus | True | Trojan-Downloader.VBA.Agent | T3.2.0.9.0 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Kaspersky | True | Trojan-Downloader.VBS.Agent.bpy | 15.0.1.13 | 20160513 | +----------------------+-----------+------------------------------------+---------------+--------------+ | McAfee | True | W97M/Downloader.bcu | 6.0.6.653 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | McAfee-GW-Edition | True | W97M/Downloader.bcq | v2015 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | MicroWorld-eScan | True | W97M.Downloader.CBJ | 12.0.250.0 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Microsoft | True | TrojanDownloader:O97M/Donoff | 1.1.12706.0 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Sophos | True | Troj/DocDl-CZP | 4.98.0 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Symantec | True | W97M.Downloader | 20151.1.0.32 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | Tencent | True | Win32.Trojan-downloader.Agent.Woza | 1.0.0.1 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | TrendMicro | True | W2KM_LOCKY.CF | 9.740.0.1012 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | TrendMicro-HouseCall | True | W2KM_LOCKY.CF | 9.800.0.1009 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | VIPRE | True | LooksLike.Macro.Malware.d (v) | 49368 | 20160514 | +----------------------+-----------+------------------------------------+---------------+--------------+ | nProtect | True | W97M.Downloader.CBJ | 2016-05-13.01 | 20160513 | +----------------------+-----------+------------------------------------+---------------+--------------+ Permanent Link : https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/
上述這種表格式的表示法,可能不方便 script 來解析,
這時也可以加上 -j 選項,用來產生 VTDL_<hash>.json 檔案:
testuser@localhost ~ $ vt -j -s 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686 Scanned on : 2016-05-14 07:46:02 Detections: 31/57 Positives/Total Results for MD5 : d70234048b3a0b00ab4cc3c1a6fdad97 Results for SHA1 : 3b2ffc3a4b565ffd003f2db1a77e500ee5427686 Results for SHA256 : ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84 JSON Written to File -- VTDL_3b2ffc3a4b565ffd003f2db1a77e500ee5427686.json Permanent Link : https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/
打開這個 VTDL_3b2ffc3a4b565ffd003f2db1a77e500ee5427686.json 檔,
就可以用 JSON 的格式來解析需要的資訊了,各家軟體的偵測結果也有含在裡面:
{
"scan_id": "ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84-1463211962",
"sha1": "3b2ffc3a4b565ffd003f2db1a77e500ee5427686",
"resource": "3B2FFC3A4B565FFD003F2DB1A77E500EE5427686",
"response_code": 1,
"scan_date": "2016-05-14 07:46:02",
"permalink": "https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/",
"verbose_msg": "Scan finished, information embedded",
"sha256": "ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84",
"positives": 31,
"total": 57,
"md5": "d70234048b3a0b00ab4cc3c1a6fdad97",
"scans": {
"Bkav": {
"detected": false,
"version": "1.3.0.8017",
"result": null,
"update": "20160514"
},
"MicroWorld-eScan": {
"detected": true,
"version": "12.0.250.0",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"nProtect": {
"detected": true,
"version": "2016-05-13.01",
"result": "W97M.Downloader.CBJ",
"update": "20160513"
},
"CMC": {
"detected": false,
"version": "1.1.0.977",
"result": null,
"update": "20160510"
},
"CAT-QuickHeal": {
"detected": true,
"version": "14.00",
"result": "W97M.Dropper.XF",
"update": "20160514"
},
"ALYac": {
"detected": true,
"version": "1.0.1.9",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"Malwarebytes": {
"detected": false,
"version": "2.1.1.1115",
"result": null,
"update": "20160514"
},
"VIPRE": {
"detected": true,
"version": "49368",
"result": "LooksLike.Macro.Malware.d (v)",
"update": "20160514"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.922",
"result": null,
"update": "20160513"
},
"Alibaba": {
"detected": false,
"version": "1.0",
"result": null,
"update": "20160513"
},
"K7GW": {
"detected": false,
"version": "9.225.19597",
"result": null,
"update": "20160514"
},
"K7AntiVirus": {
"detected": false,
"version": "9.225.19597",
"result": null,
"update": "20160514"
},
"Baidu": {
"detected": true,
"version": "1.0.0.2",
"result": "VBA.Trojan-Downloader.Agent.afd",
"update": "20160514"
},
"F-Prot": {
"detected": true,
"version": "4.7.1.166",
"result": "W97M/Adnel.A.gen",
"update": "20160514"
},
"Symantec": {
"detected": true,
"version": "20151.1.0.32",
"result": "W97M.Downloader",
"update": "20160514"
},
"ESET-NOD32": {
"detected": true,
"version": "13487",
"result": "VBA/TrojanDownloader.Agent.BBC",
"update": "20160514"
},
"TrendMicro-HouseCall": {
"detected": true,
"version": "9.800.0.1009",
"result": "W2KM_LOCKY.CF",
"update": "20160514"
},
"Avast": {
"detected": true,
"version": "8.0.1489.320",
"result": "VBA:Downloader-BQR [Trj]",
"update": "20160514"
},
"ClamAV": {
"detected": true,
"version": "0.99.2.0",
"result": "Doc.Dropper.Agent-1405642",
"update": "20160514"
},
"Kaspersky": {
"detected": true,
"version": "15.0.1.13",
"result": "Trojan-Downloader.VBS.Agent.bpy",
"update": "20160513"
},
"BitDefender": {
"detected": true,
"version": "7.2",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"NANO-Antivirus": {
"detected": false,
"version": "1.0.30.8213",
"result": null,
"update": "20160514"
},
"ViRobot": {
"detected": false,
"version": "2014.3.20.0",
"result": null,
"update": "20160514"
},
"AegisLab": {
"detected": false,
"version": "4.2",
"result": null,
"update": "20160514"
},
"Rising": {
"detected": false,
"version": "25.0.0.18",
"result": null,
"update": "20160514"
},
"Ad-Aware": {
"detected": true,
"version": "3.0.2.1015",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"Sophos": {
"detected": true,
"version": "4.98.0",
"result": "Troj/DocDl-CZP",
"update": "20160514"
},
"Comodo": {
"detected": false,
"version": "25013",
"result": null,
"update": "20160514"
},
"F-Secure": {
"detected": true,
"version": "11.0.19100.45",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"DrWeb": {
"detected": false,
"version": "7.0.18.3140",
"result": null,
"update": "20160514"
},
"Zillya": {
"detected": false,
"version": "2.0.0.2862",
"result": null,
"update": "20160513"
},
"TrendMicro": {
"detected": true,
"version": "9.740.0.1012",
"result": "W2KM_LOCKY.CF",
"update": "20160514"
},
"McAfee-GW-Edition": {
"detected": true,
"version": "v2015",
"result": "W97M/Downloader.bcq",
"update": "20160514"
},
"Emsisoft": {
"detected": true,
"version": "3.5.0.656",
"result": "W97M.Downloader.CBJ (B)",
"update": "20160514"
},
"Cyren": {
"detected": true,
"version": "5.4.16.7",
"result": "W97M/Adnel.A.gen",
"update": "20160514"
},
"Jiangmin": {
"detected": false,
"version": "16.0.100",
"result": null,
"update": "20160514"
},
"Avira": {
"detected": true,
"version": "8.3.3.4",
"result": "W2000M/Dldr.AM.85470",
"update": "20160514"
},
"Fortinet": {
"detected": true,
"version": "5.4.233.0",
"result": "WM/TrojanDownloader.BBC!tr",
"update": "20160514"
},
"Antiy-AVL": {
"detected": false,
"version": "1.0.0.1",
"result": null,
"update": "20160514"
},
"Kingsoft": {
"detected": false,
"version": "2013.8.14.323",
"result": null,
"update": "20160514"
},
"Arcabit": {
"detected": true,
"version": "1.0.0.680",
"result": "HEUR.VBA.Trojan.e",
"update": "20160514"
},
"SUPERAntiSpyware": {
"detected": false,
"version": "5.6.0.1032",
"result": null,
"update": "20160514"
},
"AhnLab-V3": {
"detected": true,
"version": "2016.05.14.00",
"result": "W97M/Downloader",
"update": "20160513"
},
"Microsoft": {
"detected": true,
"version": "1.1.12706.0",
"result": "TrojanDownloader:O97M/Donoff",
"update": "20160514"
},
"TotalDefense": {
"detected": false,
"version": "37.1.62.1",
"result": null,
"update": "20160512"
},
"McAfee": {
"detected": true,
"version": "6.0.6.653",
"result": "W97M/Downloader.bcu",
"update": "20160514"
},
"AVware": {
"detected": true,
"version": "1.5.0.42",
"result": "LooksLike.Macro.Malware.d (v)",
"update": "20160511"
},
"VBA32": {
"detected": false,
"version": "3.12.26.4",
"result": null,
"update": "20160513"
},
"Panda": {
"detected": false,
"version": "4.6.4.2",
"result": null,
"update": "20160513"
},
"Zoner": {
"detected": false,
"version": "1.0",
"result": null,
"update": "20160514"
},
"Tencent": {
"detected": true,
"version": "1.0.0.1",
"result": "Win32.Trojan-downloader.Agent.Woza",
"update": "20160514"
},
"Yandex": {
"detected": false,
"version": "5.5.1.3",
"result": null,
"update": "20160513"
},
"Ikarus": {
"detected": true,
"version": "T3.2.0.9.0",
"result": "Trojan-Downloader.VBA.Agent",
"update": "20160514"
},
"GData": {
"detected": true,
"version": "25",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"AVG": {
"detected": false,
"version": "16.0.0.4568",
"result": null,
"update": "20160514"
},
"Baidu-International": {
"detected": false,
"version": "3.5.1.41473",
"result": null,
"update": "20160513"
},
"Qihoo-360": {
"detected": false,
"version": "1.0.0.1120",
"result": null,
"update": "20160514"
}
}
}
不過如果是批次執行的話,public API key 每分鐘就只能執行 4 次 VirusTotal 查詢,
第五筆查詢就會看到 vt 卡在那邊,要等一分鐘過後才會繼續~
但對一般簡易查詢來說,已經算夠用囉~
testuser@localhost ~ $ vt -v -s DECAECC943DB561F56C58341B80740D3DD0B3F90
Reached per minute limit of 1; waiting 60 seconds
(本頁面已被瀏覽過 2,713 次)