VirusTotalをコマンドラインから利用する

VirusTotalというオンラインスキャナがあります.不安なファイルなどをここでスキャンするとたくさん(現在は54)のエンジンでスキャンしてその結果を確認できます. 複数のエンジンを利用するのでチェック漏れが少ないので安心感があります.(絶対ではない)

このVirusTotalにはAPIやデスクトップアプリケーション(Win/Mac/Linux)があります.これを利用してコマンドラインからスキャナにファイルを投げたり結果を確認したりしてみます.

※利用するときデータをVirusTotalのサーバにアップロードする必要がありますが,アップロードされたデータはVirusTotalとの契約者が利用できるようになっているので人に見られたら困るものや仕事のファイルなどには利用しないほうがいいでしょう.もしそういうものをたくさんのエンジンでスキャンしたい場合はMetadefender Coreという製品などを検討するといいかもです.

導入

必要パッケージの導入

ビルドに必要なパッケージを導入します.Debian/Ubuntuでは以下のものが必要です.

$ sudo apt install build-essential automake autoconf libtool libjansson-dev libcurl4-openssl-dev git

build

sourceを入手してbuildします.

$ git clone https://github.com/VirusTotal/c-vtapi.git
$ cd c-vtapi
$ ./conigure --prefix=$HOME/usr/local
$ make
$ make install

続いてexampleをbuildします.(この中に簡易的なコマンドがあるのでこれを利用します.)

$ autoreconf -fi
$ ./configure --enable-examples
$ make

API Keyの入手

VirusTotalのコミニュティにサインアップして,API Keyを入手しておきます.

ファイルのアップロード

scanコマンドにapikeyとスキャン対象のファイルを指定してアップロードします.

$ ./examples/c/scan --apikey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --filescan ~/Downloads/rootkitXperia_20140719.zip
 apikey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
   :
progress_callback 1736497/1736497
progress_callback 1736497/1736497
progress_callback 1736497/1736497
Response:
{
    "md5": "a3j0587afbba733d734b382f4c7fa15ed",
    "scan_id": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841-1475839569",
    "sha1": "b586a6959843d5dd4004d585faf94d742e34eddc",
    "resource": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
    "verbose_msg": "Scan request successfully queued, come back later for the report",
    "response_code": 1,
    "sha256": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
    "permalink": "https://www.virustotal.com/file/115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841/analysis/1475839569/"
}

スキャンの確認

scanコマンドにapikeyとhashを指定するとスキャン結果のレポートが確認できます.

$ ./examples/c/scan --apikey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --report 115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841
apikey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
:
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
Response:
{  
"scans": {
"Bkav": {
"detected": false,
"version": "1.3.0.8383",
"result": null,
"update": "20161007"
},
"Malwarebytes": {
"detected": false,
"version": "2.1.1.1115",
"result": null,
"update": "20161007"
},
"F-Secure": {
"detected": false,
"version": "11.0.19100.45",
"result": null,
"update": "20161007"
},
"MicroWorld-eScan": {
"detected": false,
"version": "12.0.250.0",
"result": null,
"update": "20161007"
},
"Antiy-AVL": {
"detected": false,
"version": "1.0.0.1",
"result": null,
"update": "20161007"
},
"K7AntiVirus": {
"detected": false,
"version": "9.242.21116",
"result": null,
"update": "20161007"
},
"AVware": {
"detected": false,
"version": "1.5.0.42",
"result": null,
"update": "20161007"
},
"Avira": { 
"detected": false,
"version": "8.3.3.4",
"result": null,
"update": "20161007"
},
"nProtect": {
"detected": false,
"version": "2016-10-07.02",
"result": null,
"update": "20161007"
},
"BitDefender": {
"detected": false,
"version": "7.2",
"result": null,
"update": "20161007"
},
"CMC": {
"detected": false,
"version": "1.1.0.977",
"result": null,
"update": "20161003"
},
"ViRobot": {
"detected": false,
"version": "2014.3.20.0",
"result": null,
"update": "20161007"
},
"McAfee": {
"detected": false,
"version": "6.0.6.653",
"result": null,
"update": "20161007"
},
"Kingsoft": {
"detected": false,
"version": "2013.8.14.323",
"result": null,
"update": "20161007"
},
"Baidu": {
"detected": false,
"version": "1.0.0.2",
"result": null,
"update": "20161001"
},
"Symantec": {
"detected": false,
"version": "20151.1.1.4",
"result": null,
"update": "20161007"
},
"CAT-QuickHeal": {
"detected": false,
"version": "14.00",
"result": null,
"update": "20161007"
},
"ALYac": { 
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {  
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": { 
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {  
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": { 
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {  
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": { 
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {  
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"ALYac": { 
"detected": false,
"version": "1.0.1.9",
"result": null,
"update": "20161007"
},
"TheHacker": {
"detected": false,
"version": "6.8.0.5.1089",
"result": null,
"update": "20161007"
},
"Zillya": {
"detected": true,
"version": "2.0.0.3078",
"result": "Trojan.Towel.Linux.2",
"update": "20161007"
},
"DrWeb": {
"detected": false,
"version": "7.0.23.8290",
"result": null,
"update": "20161007"
},
"Rising": {
"detected": false,
"version": "28.0.0.1",
"result": null,
"update": "20161007"
},
"K7GW": {  
"detected": false,
"version": "9.242.21118",
"result": null,
"update": "20161007"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Android.Exploit.Gen!c",
"update": "20161007"
},
"AVG": {
"detected": true,
"version": "16.0.0.4656",
"result": "Android/Exploit.B",
"update": "20161007"
},
"Qihoo-360": {
"detected": false,
"version": "1.0.0.1120",
"result": null,
"update": "20161007"
}
},
"response_code": 1,
"scan_id": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841-1475839569",
"sha1": "b586a6959843d5dd4004d585faf94d742e34eddc",
"resource": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
"total": 54,
"scan_date": "2016-10-07 11:26:09",
"permalink": "https://www.virustotal.com/file/115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841/analysis/1475839569/",
"positives": 10,
"verbose_msg": "Scan finished, information embedded",
"sha256": "115fc4955cbfaa77982b6ced5fc1b5c901a707819c2ed7ed45d7e763c2bda841",
"md5": "a30587afbba733d734b382f4c7fa15ed"
}
Msg: Scan finished, information embedded
response code: 1

たまに使うのでですがブラウザがなくても利用できて便利そうです :)
ちなみにGUIもあるのでGUIで利用したい人はそちらもBUILDすると幸せになれるかもしれません.