Home - Nuix/VirusTotal-Integration GitHub Wiki

About the VirusTotal Integration

This integration is designed to pull data from the VirusTotal API to enrich items in your Nuix case. It works by sending the md5 hash of a selected item to the File API endpoint. The response data contains data that VirusTotal have for items matching that hash, including if an anti-virus engines identify the item as Malicious, and additional hashes that may help with an investigation. Nuix users can then quickly identify any malicious files and report on them accordingly.

Note that just the md5 hash and your API key are sent to VirusTotal. If you have a file that is not in the VirusTotal database, you will have to manually submit the file to them for analysis.

Matched item in Nuix Workstation

Running the integration

To run the VirusTotal integration with your Nuix case, you must have a valid API key from VirusTotal, or the script will not be able to communication with the API. You also need an active internet connection on the machine that the script is running from.

Choosing which script to run

Nuix provide a standard script and a worker side script for this integration. Which one you will use will depend on your workflow. For details on the difference in the script types, please refer to the Nuix developer community and the WSS example repo.

The main differences for this integration are;

Standard script is run after you have processed files into your case. You select the files you want to check against VirusTotal and then run the script. The results are returned and added to the item as custom-metadata. The standard script has user prompts and user feedback while running.

Worker side script is run at processing time and can be run without user interaction. You can filter what you check against using a list of mime-types you are interested in, or just have it run against every item with an md5 in your case. Because this runs at processing time, we also able to add additional properties to an item which have to remain as custom-metadata for items processed with the standard script.

For further details and instructions, please refer to the wiki page for each script.