[Mac] 用 VirusTotalApi 套件批次查詢 VirusTotal 的病毒掃瞄結果

[Mac] 用 VirusTotalApi 套件批次查詢 VirusTotal 的病毒掃瞄結果

有時候會想要批次查詢,某些檔案是否已經記錄在 VirusTotal 裡面,

用來確認產品掃瞄的結果是否有誤報 (false alarm)~

當然少量的話是可以手動上 VirusTotal search 頁面

直接鍵入 MD5/SHA1 之類的資訊來搜尋,但一直重覆這種手動工作也挺麻煩的…

Screen Shot 2016-07-14 at 12.17.35 AM  

 

VirusTotal 本身有提供一些 public API,方便外界查詢,

不過其實沒必要自己寫查詢程式,因為已經有一堆類似的 client 可以使用了,

像我後來找到了 VirusTotalApi 這個用 python 撰寫的 script,

就可以幫助我們完成自動查詢 VirusTotal 的工作了~

 

1. 註冊 VirusTotal 帳號,取得 API Key

要使用 VirusTotal 提供的 public API,就必須先註冊帳號,才能取得必要的 API key~

先到 VirusTotal 官網,點擊 Join our community 加入會員:

Screen Shot 2016-07-13 at 11.29.54 AM

 

加入之後,要去點一下帳號啟用信中的連結:

Screen Shot 2016-07-13 at 11.30.08 AM

 

帳號啟用後,按下 Sign in 登入:

Screen Shot 2016-07-13 at 11.31.16 AM

 

點擊右上角自己的登入名稱,選擇 My API key:

Screen Shot 2016-07-13 at 11.31.45 AM

 

這邊就可以看到自己專屬的 API key 了:

Screen Shot 2016-07-13 at 11.32.54 AM

 

網頁上也有說明,這種可以免費建立的帳號,可以用的是 Public API key,

因此也只能使用 Public API 提供的功能,

想要更進階/更少限制的功能的話,就得花錢去取得 Private API key 才行囉~

以 public API key 來說,預設一分鐘內只能查詢 4 次,

然後也分別限制了每天和每個月可以查詢的數量~

(當然如果你不嫌麻煩,且又有一堆 email 帳號的話,

是有可能去註冊一堆 VirusTotal 帳號,取得一堆 Public API key 來用…)

Screen Shot 2016-07-13 at 11.33.57 AM  

 

2. 安裝 VirusTotalApi

用 pip 安裝 vt 這個套件:

pip install vt

 

安裝好後,就可以執行 vt 這個程式了 (在我的 Mac 上是安裝在 /usr/local/bin/vt)~

執行後它提醒我們要在 ~/.vtapi 檔案裡設定 API key:

testuser@localhost ~ $ vt
No API key provided or cannot read ~ /.vtapi. Specify an API key in vt.py or in ~ /.vtapi.
Format:
[vt]
apikey=your-apikey-here
type=public #private if you have private api
intelligence=False # True if you have access
For more information check:
https://github.com/doomedraven/VirusTotalApi

 

在 VirusTotalApi 官網上,是有提到它會去找不同路徑的設定檔,

除了 ~/.vtapi 以外,也會去找 ~/vtapi.conf,

以及目前目錄下的 .vtapi 和 vtapi.conf,因此要設定在哪個檔案裡就看自己的需求,

如果有一堆 Public API key 的話,應該是可以在一堆目錄下,分別有各自的 .vtapi 或 vtapi.conf,

但像我只有一組 Public API key 的話,設定在 ~/.vtapi 是最方便的了:

[vt]
apikey=123456789012345678901234567890123456789012345678901234567890abcd
type=public
intelligence=False

 

3. 使用 vt 來查詢

假設我想要查某個 hash (MD5/SHA1/SHA256),

是否已經在 VirusTotal 的資料庫裡面,可以用 vt -s <hash>~

下例是查詢 SHA1 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686 的結果,

可以看到在 57 家防毒軟體中,有 31 家標示為 Positives (代表有病毒),比例是蠻高的:

testuser@localhost ~ $ vt -s 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686
Scanned on :
2016-05-14 07:46:02
Detections:
31/57 Positives/Total
Results for MD5    : d70234048b3a0b00ab4cc3c1a6fdad97
Results for SHA1   : 3b2ffc3a4b565ffd003f2db1a77e500ee5427686
Results for SHA256 : ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84
Permanent Link : https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/

 

如果想知道是哪幾家判定成有病毒的話,可以加上 -v (verbose) 的選項,

會將各家防毒軟體的掃瞄結果也附上來:

testuser@localhost ~ $ vt -s -v 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686
Scanned on :
2016-05-14 07:46:02
Detections:
31/57 Positives/Total
Results for MD5    : d70234048b3a0b00ab4cc3c1a6fdad97
Results for SHA1   : 3b2ffc3a4b565ffd003f2db1a77e500ee5427686
Results for SHA256 : ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84
Verbose VirusTotal Information Output:
+----------------------+-----------+------------------------------------+---------------+--------------+
|     Vendor name      | Detected  |               Result               |    Version    | Last Update  |
+======================+===========+====================================+===============+==============+
|                ALYac |   True    | W97M.Downloader.CBJ                | 1.0.1.9       |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|               AVware |   True    | LooksLike.Macro.Malware.d (v)      | 1.5.0.42      |   20160511   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|             Ad-Aware |   True    | W97M.Downloader.CBJ                | 3.0.2.1015    |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|            AhnLab-V3 |   True    | W97M/Downloader                    | 2016.05.14.00 |   20160513   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|              Arcabit |   True    | HEUR.VBA.Trojan.e                  | 1.0.0.680     |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|                Avast |   True    | VBA:Downloader-BQR [Trj]           | 8.0.1489.320  |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|                Avira |   True    | W2000M/Dldr.AM.85470               | 8.3.3.4       |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|                Baidu |   True    | VBA.Trojan-Downloader.Agent.afd    | 1.0.0.2       |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|          BitDefender |   True    | W97M.Downloader.CBJ                | 7.200         |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|        CAT-QuickHeal |   True    | W97M.Dropper.XF                    | 14            |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|               ClamAV |   True    | Doc.Dropper.Agent-1405642          | 0.99.2.0      |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|                Cyren |   True    | W97M/Adnel.A.gen                   | 5.4.16.7      |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|           ESET-NOD32 |   True    | VBA/TrojanDownloader.Agent.BBC     | 13487         |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|             Emsisoft |   True    | W97M.Downloader.CBJ (B)            | 3.5.0.656     |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|               F-Prot |   True    | W97M/Adnel.A.gen                   | 4.7.1.166     |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|             F-Secure |   True    | W97M.Downloader.CBJ                | 11.0.19100.45 |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|             Fortinet |   True    | WM/TrojanDownloader.BBC!tr         | 5.4.233.0     |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|                GData |   True    | W97M.Downloader.CBJ                | 25            |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|               Ikarus |   True    | Trojan-Downloader.VBA.Agent        | T3.2.0.9.0    |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|            Kaspersky |   True    | Trojan-Downloader.VBS.Agent.bpy    | 15.0.1.13     |   20160513   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|               McAfee |   True    | W97M/Downloader.bcu                | 6.0.6.653     |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|    McAfee-GW-Edition |   True    | W97M/Downloader.bcq                | v2015         |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|     MicroWorld-eScan |   True    | W97M.Downloader.CBJ                | 12.0.250.0    |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|            Microsoft |   True    | TrojanDownloader:O97M/Donoff       | 1.1.12706.0   |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|               Sophos |   True    | Troj/DocDl-CZP                     | 4.98.0        |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|             Symantec |   True    | W97M.Downloader                    | 20151.1.0.32  |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|              Tencent |   True    | Win32.Trojan-downloader.Agent.Woza | 1.0.0.1       |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|           TrendMicro |   True    | W2KM_LOCKY.CF                      | 9.740.0.1012  |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
| TrendMicro-HouseCall |   True    | W2KM_LOCKY.CF                      | 9.800.0.1009  |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|                VIPRE |   True    | LooksLike.Macro.Malware.d (v)      | 49368         |   20160514   |
+----------------------+-----------+------------------------------------+---------------+--------------+
|             nProtect |   True    | W97M.Downloader.CBJ                | 2016-05-13.01 |   20160513   |
+----------------------+-----------+------------------------------------+---------------+--------------+
Permanent Link : https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/

 

上述這種表格式的表示法,可能不方便 script 來解析,

這時也可以加上 -j 選項,用來產生 VTDL_<hash>.json 檔案:

testuser@localhost ~ $ vt -j -s 3B2FFC3A4B565FFD003F2DB1A77E500EE5427686
Scanned on :
2016-05-14 07:46:02
Detections:
31/57 Positives/Total
Results for MD5    : d70234048b3a0b00ab4cc3c1a6fdad97
Results for SHA1   : 3b2ffc3a4b565ffd003f2db1a77e500ee5427686
Results for SHA256 : ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84
JSON Written to File -- VTDL_3b2ffc3a4b565ffd003f2db1a77e500ee5427686.json
Permanent Link : https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/

 

打開這個 VTDL_3b2ffc3a4b565ffd003f2db1a77e500ee5427686.json 檔,

就可以用 JSON 的格式來解析需要的資訊了,各家軟體的偵測結果也有含在裡面:

{
"scan_id": "ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84-1463211962",
"sha1": "3b2ffc3a4b565ffd003f2db1a77e500ee5427686",
"resource": "3B2FFC3A4B565FFD003F2DB1A77E500EE5427686",
"response_code": 1,
"scan_date": "2016-05-14 07:46:02",
"permalink": "https://www.virustotal.com/file/ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84/analysis/1463211962/",
"verbose_msg": "Scan finished, information embedded",
"sha256": "ecc3d41d095404518373d284b80dd1f6ae6c16c74af6ce8432801d0844d28e84",
"positives": 31,
"total": 57,
"md5": "d70234048b3a0b00ab4cc3c1a6fdad97",
"scans": {
"Bkav": {
"detected": false,
"version": "1.3.0.8017",
"result": null,
"update": "20160514"
},
"MicroWorld-eScan": {
"detected": true,
"version": "12.0.250.0",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"nProtect": {
"detected": true,
"version": "2016-05-13.01",
"result": "W97M.Downloader.CBJ",
"update": "20160513"
},
"CMC": {
"detected": false,
"version": "1.1.0.977",
"result": null,
"update": "20160510"
},
"CAT-QuickHeal": {
"detected": true,
"version": "14.00",
"result": "W97M.Dropper.XF",
"update": "20160514"
},
"ALYac": {
"detected": true,
"version": "1.0.1.9",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"Malwarebytes": {
"detected": false,
"version": "2.1.1.1115",
"result": null,
"update": "20160514"
},
"VIPRE": {
"detected": true,
"version": "49368",
"result": "LooksLike.Macro.Malware.d (v)",
"update": "20160514"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.922",
"result": null,
"update": "20160513"
},
"Alibaba": {
"detected": false,
"version": "1.0",
"result": null,
"update": "20160513"
},
"K7GW": {
"detected": false,
"version": "9.225.19597",
"result": null,
"update": "20160514"
},
"K7AntiVirus": {
"detected": false,
"version": "9.225.19597",
"result": null,
"update": "20160514"
},
"Baidu": {
"detected": true,
"version": "1.0.0.2",
"result": "VBA.Trojan-Downloader.Agent.afd",
"update": "20160514"
},
"F-Prot": {
"detected": true,
"version": "4.7.1.166",
"result": "W97M/Adnel.A.gen",
"update": "20160514"
},
"Symantec": {
"detected": true,
"version": "20151.1.0.32",
"result": "W97M.Downloader",
"update": "20160514"
},
"ESET-NOD32": {
"detected": true,
"version": "13487",
"result": "VBA/TrojanDownloader.Agent.BBC",
"update": "20160514"
},
"TrendMicro-HouseCall": {
"detected": true,
"version": "9.800.0.1009",
"result": "W2KM_LOCKY.CF",
"update": "20160514"
},
"Avast": {
"detected": true,
"version": "8.0.1489.320",
"result": "VBA:Downloader-BQR [Trj]",
"update": "20160514"
},
"ClamAV": {
"detected": true,
"version": "0.99.2.0",
"result": "Doc.Dropper.Agent-1405642",
"update": "20160514"
},
"Kaspersky": {
"detected": true,
"version": "15.0.1.13",
"result": "Trojan-Downloader.VBS.Agent.bpy",
"update": "20160513"
},
"BitDefender": {
"detected": true,
"version": "7.2",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"NANO-Antivirus": {
"detected": false,
"version": "1.0.30.8213",
"result": null,
"update": "20160514"
},
"ViRobot": {
"detected": false,
"version": "2014.3.20.0",
"result": null,
"update": "20160514"
},
"AegisLab": {
"detected": false,
"version": "4.2",
"result": null,
"update": "20160514"
},
"Rising": {
"detected": false,
"version": "25.0.0.18",
"result": null,
"update": "20160514"
},
"Ad-Aware": {
"detected": true,
"version": "3.0.2.1015",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"Sophos": {
"detected": true,
"version": "4.98.0",
"result": "Troj/DocDl-CZP",
"update": "20160514"
},
"Comodo": {
"detected": false,
"version": "25013",
"result": null,
"update": "20160514"
},
"F-Secure": {
"detected": true,
"version": "11.0.19100.45",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"DrWeb": {
"detected": false,
"version": "7.0.18.3140",
"result": null,
"update": "20160514"
},
"Zillya": {
"detected": false,
"version": "2.0.0.2862",
"result": null,
"update": "20160513"
},
"TrendMicro": {
"detected": true,
"version": "9.740.0.1012",
"result": "W2KM_LOCKY.CF",
"update": "20160514"
},
"McAfee-GW-Edition": {
"detected": true,
"version": "v2015",
"result": "W97M/Downloader.bcq",
"update": "20160514"
},
"Emsisoft": {
"detected": true,
"version": "3.5.0.656",
"result": "W97M.Downloader.CBJ (B)",
"update": "20160514"
},
"Cyren": {
"detected": true,
"version": "5.4.16.7",
"result": "W97M/Adnel.A.gen",
"update": "20160514"
},
"Jiangmin": {
"detected": false,
"version": "16.0.100",
"result": null,
"update": "20160514"
},
"Avira": {
"detected": true,
"version": "8.3.3.4",
"result": "W2000M/Dldr.AM.85470",
"update": "20160514"
},
"Fortinet": {
"detected": true,
"version": "5.4.233.0",
"result": "WM/TrojanDownloader.BBC!tr",
"update": "20160514"
},
"Antiy-AVL": {
"detected": false,
"version": "1.0.0.1",
"result": null,
"update": "20160514"
},
"Kingsoft": {
"detected": false,
"version": "2013.8.14.323",
"result": null,
"update": "20160514"
},
"Arcabit": {
"detected": true,
"version": "1.0.0.680",
"result": "HEUR.VBA.Trojan.e",
"update": "20160514"
},
"SUPERAntiSpyware": {
"detected": false,
"version": "5.6.0.1032",
"result": null,
"update": "20160514"
},
"AhnLab-V3": {
"detected": true,
"version": "2016.05.14.00",
"result": "W97M/Downloader",
"update": "20160513"
},
"Microsoft": {
"detected": true,
"version": "1.1.12706.0",
"result": "TrojanDownloader:O97M/Donoff",
"update": "20160514"
},
"TotalDefense": {
"detected": false,
"version": "37.1.62.1",
"result": null,
"update": "20160512"
},
"McAfee": {
"detected": true,
"version": "6.0.6.653",
"result": "W97M/Downloader.bcu",
"update": "20160514"
},
"AVware": {
"detected": true,
"version": "1.5.0.42",
"result": "LooksLike.Macro.Malware.d (v)",
"update": "20160511"
},
"VBA32": {
"detected": false,
"version": "3.12.26.4",
"result": null,
"update": "20160513"
},
"Panda": {
"detected": false,
"version": "4.6.4.2",
"result": null,
"update": "20160513"
},
"Zoner": {
"detected": false,
"version": "1.0",
"result": null,
"update": "20160514"
},
"Tencent": {
"detected": true,
"version": "1.0.0.1",
"result": "Win32.Trojan-downloader.Agent.Woza",
"update": "20160514"
},
"Yandex": {
"detected": false,
"version": "5.5.1.3",
"result": null,
"update": "20160513"
},
"Ikarus": {
"detected": true,
"version": "T3.2.0.9.0",
"result": "Trojan-Downloader.VBA.Agent",
"update": "20160514"
},
"GData": {
"detected": true,
"version": "25",
"result": "W97M.Downloader.CBJ",
"update": "20160514"
},
"AVG": {
"detected": false,
"version": "16.0.0.4568",
"result": null,
"update": "20160514"
},
"Baidu-International": {
"detected": false,
"version": "3.5.1.41473",
"result": null,
"update": "20160513"
},
"Qihoo-360": {
"detected": false,
"version": "1.0.0.1120",
"result": null,
"update": "20160514"
}
}
}

 

不過如果是批次執行的話,public API key 每分鐘就只能執行 4 次 VirusTotal 查詢,

第五筆查詢就會看到 vt 卡在那邊,要等一分鐘過後才會繼續~

但對一般簡易查詢來說,已經算夠用囉~

testuser@localhost ~ $ vt -v -s DECAECC943DB561F56C58341B80740D3DD0B3F90
Reached per minute limit of 1; waiting 60 seconds

 

(本頁面已被瀏覽過 2,624 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料