VirusTotalというオンラインスキャナがあります.不安なファイルなどをここでスキャンするとたくさん(現在は54)のエンジンでスキャンしてその結果を確認できます. 複数のエンジンを利用するのでチェック漏れが少ないので安心感があります.(絶対ではない)
このVirusTotalにはAPIやデスクトップアプリケーション(Win/Mac/Linux)があります.これを利用してコマンドラインからスキャナにファイルを投げたり結果を確認したりしてみます.
※利用するときデータをVirusTotalのサーバにアップロードする必要がありますが,アップロードされたデータはVirusTotalとの契約者が利用できるようになっているので人に見られたら困るものや仕事のファイルなどには利用しないほうがいいでしょう.もしそういうものをたくさんのエンジンでスキャンしたい場合はMetadefender Coreという製品などを検討するといいかもです.
- VirusTotal – ウイルス、マルウェア、URL の無料オンライン スキャナー
- https://www.virustotal.com/ja/documentation/desktop-applications/linux-oss-uploader
- セキュリティ研究センターブログ: VirusTotalへアップロードされる機微情報
導入
必要パッケージの導入
ビルドに必要なパッケージを導入します.Debian/Ubuntuでは以下のものが必要です.
$ sudo apt install build-essential automake autoconf libtool libjansson-dev libcurl4-openssl-dev gitbuild
sourceを入手してbuildします.
$ git clone https://github.com/VirusTotal/c-vtapi.git
$ cd c-vtapi
$ ./conigure --prefix=$HOME/usr/local
$ make
$ make install続いてexampleをbuildします.(この中に簡易的なコマンドがあるのでこれを利用します.)
$ autoreconf -fi
$ ./configure --enable-examples
$ makeAPI Keyの入手
VirusTotalのコミニュティにサインアップして,API Keyを入手しておきます.
- VirusTotal コミュニティの使用方法 – VirusTotal ### ファイルのアップロード
ファイルのアップロード
scanコマンドにapikeyとスキャン対象のファイルを指定してアップロードします.
$ ./examples/c/scan --apikey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --filescan ~/Downloads/rootkitXperia_20140719.zip
apikey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
:
progress_callback 1736497/1736497
progress_callback 1736497/1736497
progress_callback 1736497/1736497
Response:
{
"md5": "a3j0587afbba733d734b382f4c7fa15ed",
"scan_id": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841-1475839569",
"sha1": "b586a6959843d5dd4004d585faf94d742e34eddc",
"resource": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
"verbose_msg": "Scan request successfully queued, come back later for the report",
"response_code": 1,
"sha256": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
"permalink": "https://www.virustotal.com/file/115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841/analysis/1475839569/"
}スキャンの確認
scanコマンドにapikeyとhashを指定するとスキャン結果のレポートが確認できます.
$ ./examples/c/scan --apikey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --report 115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841
apikey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
:
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
Response:
{
"scans": {
"Bkav": {
"detected": false,
"version": "1.3.0.8383",
"result": null,
"update": "20161007"
},
"Malwarebytes": {
"detected": false,
"version": "2.1.1.1115",
"result": null,
"update": "20161007"
},
"F-Secure": {
"detected": false,
"version": "11.0.19100.45",
"result": null,
"update": "20161007"
},
"MicroWorld-eScan": {
"detected": false,
"version": "12.0.250.0",
"result": null,
"update": "20161007"
},
"Antiy-AVL": {
"detected": false,
"version": "1.0.0.1",
"result": null,
"update": "20161007"
},
"K7AntiVirus": {
"detected": false,
"version": "9.242.21116",
"result": null,
"update": "20161007"
},
"AVware": {
"detected": false,
"version": "1.5.0.42",
"result": null,
"update": "20161007"
},
"Avira": {
"detected": false,
"version": "8.3.3.4",
"result": null,
"update": "20161007"
},
"nProtect": {
"detected": false,
"version": "2016-10-07.02",
"result": null,
"update": "20161007"
},
"BitDefender": {
"detected": false,
"version": "7.2",
"result": null,
"update": "20161007"
},
"CMC": {
"detected": false,
"version": "1.1.0.977",
"result": null,
"update": "20161003"
},
"ViRobot": {
"detected": false,
"version": "2014.3.20.0",
"result": null,
"update": "20161007"
},
"McAfee": {
"detected": false,
"version": "6.0.6.653",
"result": null,
"update": "20161007"
},
"Kingsoft": {
"detected": false,
"version": "2013.8.14.323",
"result": null,
"update": "20161007"
},
"Baidu": {
"detected": false,
"version": "1.0.0.2",
"result": null,
"update": "20161001"
},
"Symantec": {
"detected": false,
"version": "20151.1.1.4",
"result": null,
"update": "20161007"
},
"CAT-QuickHeal": {
"detected": false,
"version": "14.00",
"result": null,
"update": "20161007"
},
"ALYac": {
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": {
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": {
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": {
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": {
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"AVG": {
"detected": true,
"version": "16.0.0.4656",
"result": "Android/Exploit.B",
"update": "20161007"
},
"Qihoo-360": {
"detected": false,
"version": "1.0.0.1120",
"result": null,
"update": "20161007"
}
},
"response_code": 1,
"scan_id": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841-1475839569",
"sha1": "b586a6959843d5dd4004d585faf94d742e34eddc",
"resource": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
"total": 54,
"scan_date": "2016-10-07 11:26:09",
"permalink": "https://www.virustotal.com/file/115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841/analysis/1475839569/",
"positives": 10,
"verbose_msg": "Scan finished, information embedded",
"sha256": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
"md5": "a30587afbba733d734b382f4c7fa15ed"
}
Msg: Scan finished, information embedded
response code: 1たまに使うのでですがブラウザがなくても利用できて便利そうです :)
ちなみにGUIもあるのでGUIで利用したい人はそちらもBUILDすると幸せになれるかもしれません.