Standard Script - Nuix/VirusTotal-Integration GitHub Wiki
Standard Script
The standard script can be run from the workstation scripts menu and provides visual feedback as to the progress. As you work through your data, you are able to select items you wish to check against VirusTotal, and launch the script on demand.
The basic premise is that the md5 hash only is sent to the virus total API. If they have analysed a file with the same md5 hash, they will supply all the details they have on that file. The relevant data is then processed by Nuix and added to the selected item. This data includes how many anti-virus products identified the file as malicious and the name the anti-virus refers to the file by. In addition to this, Nuix can optionally add other custom-metadata detailed below:
authentihash is a sha256 hash used by Microsoft to verify that the relevant sections of a PE image file have not been altered. Further details can be found here.
imphash is a hash of the imports used in a pe. It can be useful for tracking and identifying malware, especially as the imphash often remains the same as files are tweaked to avoid signature detection, etc.
vHash is a proprietary hash generated by VirusTotal. Only limited information is available at time of writing, but its intention is to help you to find similar files. File similarity search is built into the VirusTotal web interface, and there is also an endpoint you can use.
crowdsourced_yara_results is a collection of crowdsourced yara rules that the file has matches against. This information is provided by VirusTotal community, and only checks against community added rulesets, but is another good indicator if a file is malicious.
The script can also tags items by default using the VirusTotal assigned tags; a list of which can be found here.
Preparing the script
- Begin by downloading the latest release of this code. Extract the folder "VirusTotalIntegration.nuixscript" and its contents from the downloaded zip file into your Nuix scripts directory. In Windows the script directory is likely going to be either of the following:
%appdata%\Nuix\Scripts - User level script directory
%programdata%\Nuix\Scripts - System level script directory
- Get an API key from VirusTotal (See Requesting a new API key)
- Open VirusTotalIntegration.py in a text editor, scroll down to the APIKEY row, and insert your API key between the double quotes.
-
You may wish to optionally modify other settings at this stage (see optional changes below).
-
Save the script and close the text editor.
Optional changes
You can also adjust some of the values that are added to the item, and the sleep time between each API request (for rate limiting). These changes are detailed below:
| Property Name | Default Value | Description |
|---|---|---|
| SLEEP_TIME | 15 | Numerical value. Indicates the number of seconds the script will wait between sending queries to the API. This can be set to 0 if using a premium API key, as the sleep just helps with rate limiting with the public API |
| SET_VHASH | True | Should vHash value be extracted? Set to False to NOT include it as a property |
| SET_IMPHASH | True | Should import hash value be extracted? Set to False to NOT include it as a property |
| SET_AUTHENTIHASH | True | Should Autentichash value be extracted? Set to False to NOT include it as a property |
| SET_YARA | True | Should Yara community matches be included in results? Set to False to NOT include it as a property |
| SET_TAGS | True | Should tags be set based on VirusTotal tags? Set to False to NOT tag items |
Running the script
- With your case open, select one or more items that you want to check against VirusTotal.
- Run the script by opening the "Scripts" menu and selecting "Virus Total Integration".
- A box will appear to indicate your progress. Note if you cancel this it will not remove custom-metadata from items that have already been checked against virus total.
- When the script completes, a custom metadata field is available under the Metadata tab in the Preview pane. The custom data shows the VirusTotal hits under the Value column, as well as an optional properties like vHash that you included.
