Back to Top

Sunday, August 12, 2007

Unofficial VirusTotal uploader

Update: this script has been update and renamed to OVScan. Please use the new version.

VirusTotal is a free service offered by Hispasec systems which scans the submitted files with a large number of AV engines (currently more than 30) and shows you the result. Disclaimer: I have no affiliation with them or any other such service. While the results do not guarantee anything (having in mind that every engine can have false positives and malware which it doesn't detect), still it offers a much more detailed result than scanning with a single AV engine.

This unofficial uploader was written to make it possible to submit multiple files in a batch mode and to make it possible to produce reports automatically. It is written in Perl and should run on most platforms Perl is available (for Windows you can use ActivePerl)

The software (script) is released under the GPLv3. The supported command line option currently are:

vtuploader.pl [options] [file masks]

Options:
 -n --no-distrib The sample is not distributed to AV vendors
 -h --help       Displays this help
 -v --verbose    Output detailed information about the progress
 -b --bb-code    Output the result as BBCode
 -c --csv        Output the result as CSV
 -t --tab        Output the result as tab delimited file
 -m --html       Output the result as HTML 
 -l --log=[file] Save the output (the result of the scans) to the specified day

File masks:
 Specifies a file or a group of files to upload and scan

An example result can be seen below:

VirusTotal scan results
File namevtuploader.pl
AntivirusVersionLast updateResult
AVG7.5.0.4762007.08.12-
AhnLab-V32007.8.9.22007.08.10-
AntiVir7.4.0.602007.08.12-
Authentium4.93.82007.08.11-
Avast4.7.1029.02007.08.12-
BitDefender7.22007.08.12-
CAT-QuickHeal9.002007.08.11-
ClamAV0.912007.08.12-
DrWeb4.332007.08.12-
Ewido4.02007.08.12-
F-Prot4.3.2.482007.08.10-
F-Secure6.70.13030.02007.08.12-
FileAdvisor12007.08.12-
Fortinet2.91.0.02007.08.12-
IkarusT3.1.1.122007.08.12-
Kaspersky4.0.2.242007.08.12-
McAfee50952007.08.10-
Microsoft1.27042007.08.12-
NOD32v224542007.08.12-
Norman5.80.022007.08.10-
Panda9.0.0.42007.08.12-
Prevx1V22007.08.12-
Rising19.35.62.002007.08.12-
Sophos4.20.02007.08.12-
Sunbelt2.2.907.02007.08.11-
Symantec102007.08.12-
TheHacker6.1.7.1672007.08.12-
VBA323.12.2.22007.08.11-
VirusBuster4.3.26:92007.08.12-
Webwasher-Gateway6.0.12007.08.12-
eSafe7.0.15.02007.08.10-
eTrust-Vet31.1.50502007.08.11-
Additional information
File size: 16004 bytes
MD5: 61b8388cb718f5888f63e506707cf58f
SHA1: d57434e6f782fcb59dba0160af404a0455848cd4

Tips and tricks:

  • Deprecated! See the command line options on how to redirect the output. You should always redirect the output to a logfile. Status messages are not influenced by the redirection because they are written to the standard error console.
  • You should use the -v option, unless you are very patient, because scanning of the files can take a long time.
  • If you need to use a proxy, you can set this from the environment variables by doing export http_proxy=http://localhost:8080/ under Linux or the equivalent set http_proxy=http://localhost:8080/ under Windows

Warning: this uploader is based undocumented interfaces in VirusTotal. Although I have their permission to create this software, there is no express guarantee on their part that the interfaces will remain the same. In case they change, this script may (and most probably will) break and I can't make any guarantees on the time it will take me to repair it. Please see the official methods for sending files to have a guaranteed delivery.

Update: added long option, the possibility to directly specify the file where the output should be saved and a summary which gives the detection count both as raw numbers and as percentage.

Download it here

PS. Here are some alternative services in the same venue, if VT is unavailable for some reason:

  • virusscan.jotti.org - similar, but sadly it's almost constantly at peak utilization, and because of this, rather slow
  • VirScan.org - a new service from China (I think) with some broken English here and there, but seems to work fine (I also like the fact that archives can be submitted)
  • scanner.virus.org - with a spartan interface and slightly outdated virus definitons sometimes

Update: this script has been update and renamed to OVScan. Please use the new version.

Posted by Cd-MaN at 11:31 PM
Labels: ,

5 comments:

  1. Anonymous2:40 AM

    Hi Cd-MaN
    This is a very useful script !!
    Thank you very much for shared it...

    I just tested it with samples from http://blog.untangle.com/?p=96
    http://virus.untangle.com/

    Your script worked perfectly
    BTW these results are here
    http://vrac.uggy.org/results-vtuploader-virus-untangle-com

    (And I blogged in french about your script on http://blog.uggy.org )

    Thank you again..
    Great script :)

    ReplyDelete
  2. Unknown9:43 PM

    a great thanks by myself as well! ;)

    ReplyDelete
  3. Martin11:06 PM

    Here's a diff in case you want to use SSL for the upload:
    311c311
    < my $file_upload_request = POST 'http://www.virustotal.com/vt/en/recepcionf',
    ---
    > my $file_upload_request = POST 'https://www.virustotal.com/vt/en/recepcion',
    314c314,315
    < 'distribuir' => $distribute
    ---
    > 'distribuir' => $distribute,
    > 'envioseguro' => 1
    341d341
    <
    343c343
    < unless ($response->header('Location') =~ /\?([a-f0-9]+)$/i);
    ---
    > unless ($response->header('location') =~ /\?([a-f0-9]+)$/i);

    ReplyDelete
  4. Unknown1:56 AM

    it's changed from /vt/en/recepcionf to /vt/en/recepcion now

    ReplyDelete
  5. Anonymous10:21 PM

    This is great. One problem. VT recently made a change on their site. I think that kills this pl if the file has been examined before. Can you help with a mod? If the file has been looked at before, VT throws up a screen asking if you want to re-analyze or view the previous analysis...

    ReplyDelete

Subscribe to: Post Comments (Atom)