Introducing VirusTotalReporter
Today I’m introducing VirusTotalReporter, an AutoPkg processor designed to return file report information from VirusTotal. Heavily inspired by the well loved and widely used VirusTotalAnalyzer by Hannes Juutilainen, VirusTotalReporter’s goal is to provide as much detection data as possible to make informed decisions within AutoPkg recipes and workflows. It is for the most part a drop-in replacement for VirusTotalAnalyzer, and includes the same output variables in the same format. Wherever VirusTotalAnalyzer is used today - within a recipe, as a post-processor, etc. - VirusTotalReporter can take its place by only changing the processor name. Recipes using StopProcessingIf processors to bail early on detections can use the exact same predicates.
Why use VirusTotalReporter over VirusTotalAnalyzer?
- Significant improvements to reporting for new files.
VirusTotalReporterwill optionally submit new files not already in the VirusTotal database, wait for analysis, and returns results in the same run.VirusTotalAnalyzeronly submits new files, not report on them. In workflows where trust and import/upload decisions are made based on VirusTotal detections, files which have never been analyzed are assumed safe, when they may not be.VirusTotalAnalyzerwill actually report 0/0 detections for new submissions even though no data is returned. - More granular detection reporting. Total detections as well as (mostly) harmless, suspicious, and malicious detections are included in summary results.
- Supports outputting the full VirusTotal report to a recipe’s report property list or specified JSON file. That data can then be ingested into a SIEM or other security tooling.
- Uses VirusTotal’s v3 API. The v2 API is deprecated and in some cases provides fewer details or less specific data. Read more on VirusTotal’s blog post.
VirusTotalReporter is available here and ready for you to kick the tires. Read through the documentation, give it a try, and file issues to let me know what breaks.
https://github.com/autopkg/nstrauss-recipes/tree/master/VirusTotalReporter