Scanning with VirusTotal at Scale

 

VirusTotal is a great tool for security analysts and incident responders. It allows them to quickly scan a specific file using a plethora of different AntiVirus scanners and get a result immediately. 

VirusTotal has a free API key but this tier restricts the user to a maximum number of queries per minute. As a paying customer of VirusTotal you are given a much greater limit. On both tiers it is possible to query VirusTotal programatically.

VirusTotal can be made incredibly effective as a first pass of detection in combination with further validations. For this approach to work you need to examine the hash of files and code in use within your organization using the VirusTotal API. This can be challenging for organizations as it requires a complex pipeline of analysis and reporting.

Enters LimaCharlie - the easiest way to get the job done.

Using LimaCharlie.io, you can deploy agents to your hosts (Mac, Linux and Windows) in minutes and get data flowing to your own systems right away. You can also input a VirusTotal API key and have LimaCharlie query VirusTotal automatically for you. Along with this ease of deployment we also take care of caching results so if you pay for an API key you get more mileage out of your quota.

If we find a match we can report it through many integrations like Slack or webhooks, and you can even automate more advanced responses like isolating the host from the network or fetching additional information. And of course, all of this happens in real-time.

Virus Total

Getting up and running is simple, create a LimaCharlie account, install some sensors by following the instructions, subscribe to the VirusTotal integration (it's free), input your VirusTotal API key and create your detection flow.

This is what a simple detection flow for VirusTotal looks like, query all unique hashes against VT and report any hash that at least one AV product says is "bad":

Detect:

op: lookup
event: CODE_IDENTITY
path: event/HASH
resource: 'lcr://api/vt'
metadata_rules:
  path: /
  length of: true
  value: 0
  op: is greater than

Respond:

- action: report
  name: virustotal