Back to Top

Friday, March 13, 2009

Updated VTUploader – renamed to OVScan

389323110_fd02d6225e_oI updated the the script I originally published for submitting files to VirusTotal and renamed it OVScan (Online Virus Scan). What has changed:

  • Added support for multiple sites
  • Added support for submitting via SSL (if the site supports it)
  • Added support for a per-file timeout

Get it while it’s fresh from the source-code repository (to download it, click on the “View raw file” link). Some caveats though:

  • Not all sites support all the features. SSL is supported only by VirusTotal at the moment for example.
  • Different sites have different engines, different signature versions and so on.
  • Different sites have different usage policies. Make sure to check out the policy for the given site before submitting to it. In general assume that the site can do whatever it wants with the submitted file
  • Support for scanner.virus.org is broken at the moment because every scan seems to stall at 80% (at Norman), so I couldn’t get a sample of what the results look like
  • Support for virscan.org is rather rudimentary because of their more complex call scheme which is needed
  • To use SSL, you need to have Crypt::SSLeay installed, which under Windows means using alternative package sources.

Hope you find it useful.

Update: for those of you who prefer more asynchronous processing, there is the vtsubmit.py python script which uses the e-mail interface for VirusTotal.

Update: I did some updates to the script. Please download the new version (because the old version doesn't really work with the changes the sites did to their architecture :-)).

Image taken from 37Hz's photostream with permission.

15 comments:

  1. Anonymous12:26 AM

    Quite nice. Everything seems to work except virscan which you mentioned.

    The numbers of engines scanned with keeps increasing before failing with; "Use of uninitialized value in string eq at ovscan.pl line 677." which is the results as there are none.

    This is under windows which also always reports, "Use of uninitialized value in concatenation (.) or string at ovscan.pl line 25."

    Err, VirusTotal is now saying, "Response header does not contain expected location header!"

    ReplyDelete
  2. Anonymous12:37 AM

    Oh and the log always outputs VirusTotal in the header regardless of which site you used.

    ReplyDelete
  3. Thans for the quick feedback. The latest SVN version fixes the problem with the logs (it should output the correct sitename depending on which site you choose to use).

    Regarding the VT problem: they seems to experience some kind of trouble, since they are returning constantly "Exception". I look into it some more soon, hopefully they fix the problem by then.

    ReplyDelete
  4. The latest version from the SVN should also fix the problem of scans at VirusTotal stalling indefinitely. This appeared for files which VT has already seen, because there you must explicitly request a rescan, which the latest version does.

    ReplyDelete
  5. Anonymous9:51 PM

    thanx tooo much

    how can i use this script via web page

    warm regards,

    ReplyDelete
  6. @mars: The script wasn't meant to be used via a web-page, but I assume that you could use an intermediate script, which takes the uploaded file and runs the script on it.

    ReplyDelete
  7. Anonymous6:08 PM

    You should add functionality to submit to Threat Expert!

    ReplyDelete
  8. I know about ThreatExpert (and they have quite a nice service), however it doesn't fit very well into the "file scanned by multiple engines" model represented by the script (ie. the report format is different, you can not represent it as a table with columns like "engine name", "update time" and "scan results").

    ReplyDelete
  9. Anonymous1:25 AM

    fb and vchief are the only ones that worked for me. The rest failed.

    ReplyDelete
  10. @Anonymous: sorry for taking so long to reply, but I was swamped with work. I updated the script and now it should work with Jotti, VirusTotal, Filterbit, NoVirusThanks and VirusChief.

    scanner.virus.org and virscan.org both have problems (the first blocks at 72% completion, while the second is unreachable).

    Please download the new version and let me know if you are still having problems.

    ReplyDelete
  11. Anonymous4:44 PM

    Hello,

    Thanks for this nice script.

    For me it would be ok, to upload only the files which have not been scanned before by vt (in the last x months).
    Maybe you have a script, which would send a simple txt-file (for each file one line with filename and md5 hash code), which makes an outputfile that adds the previos scan result (or not scanned) and the last scan date.
    Then it would be easy with a batch script to copy all files, which have to be checked with uploading to a folder and then to use your ovscan.pl script only on that files.
    This would help to reduce the traffic to vt a lot, but still having acceptable good results in shorter time. (when the last scanning date is not to far away).

    ReplyDelete
  12. Anonymous11:18 AM

    [quote]@mars: The script wasn't meant to be used via a web-page, but I assume that you could use an intermediate script, which takes the uploaded file and runs the script on it.[/quote]

    Excuse me for bad English.

    Could you please give an example php script to pass parameters to your script OVScan.pl.

    We have a LAN without Internet access, and the gateway to the Internet is on the server.
    The algorithm works as follows:
    1. user via web form generated by PHP, download a suspicious file to us on the server (for example, he is saved in a directory "c: / 1 /")
    2. Further PHP script runs your script OVScan.pl and gives him options download
    3. Your script OVScan.pl gives test results to my PHP script.

    Thanks in advance.

    ReplyDelete
  13. Anonymous1:36 PM

    Hello again this AsmKey.
    thanks for the script. last issue is cleared.)))
    I just had an old version of LWP \ UserAgent.pm
    thanks again for a great script!

    ReplyDelete
  14. Anonymous8:17 AM

    Hi Can you help me..

    sudo ./ovscan.pl -v -l stats.log -i vt testfile Use of uninitialized value in concatenation (.) or string at ./ovscan.pl line 26.
    Processing file testfile
    MD5: eed3f1e12e544dc1bac2b66aaf0f0c89
    SHA1: 8bb8d31bfc1519d69fc6f5f24e9679a3463b6b60
    File size: 30080 bytes


    The following error occured while processing "testfile":
    Response header does not contain expected location header!

    ReplyDelete
  15. Anonymous2:58 PM

    Still having problems with:

    Response header does not contain expected location header!

    Any guesses?

    ReplyDelete