Worker Side Script - Nuix/VirusTotal-Integration GitHub Wiki
The worker side script version of the integration has been created to allow users to run at processing time. Because of the nature of the script ie an API call is made out to a third party for every item it matches, it is not advisable to run as is against all the data in your case. Suggested worfklow may be to filter by mime-type in the script and be selective about the data being processed with the script enabled OR to process your data as normal, and then reprocess select items in your case that you wish to check against VirusTotal. Ideally this would be done as stage in an automated workflow.
Currently, the worker side script provides the results information as the standard script does, but adds the vHash, Autentichash and ImpHash to the item as a properties and not custom-metadata. This is because when running a standard script it is not possible to add / modify properties as we can from a WSS. Each property is explained below;
authentihash is a sha256 hash used by Microsoft to verify that the relevant sections of a PE image file have not been altered. Further details can be found here.
imphash is a hash of the imports used in a pe. It can be useful for tracking and identifying malware, especially as the imphash often remains the same as files are tweaked to avoid signature detection, etc.
vHash is a proprietary hash generated by VirusTotal. Only limited information is available at time of writing, but its intention is to help you to find similar files. File similarity search is built into the VirusTotal web interface, and there is also an endpoint you can use.
In addition to these properties, the script also tags items by default using the VirusTotal assigned tags; a list of which can be found here.
Before running the script, a valid API key must be added to the currently empty APIKEY property. For example, if your key was 123456789abcdef, your file would look like;
You can also adjust some of the values that are added to the item, which mime-types the script will run against and the sleep time between each API request (for rate limiting).
| Property Name | Default Value | Description |
|---|---|---|
| SLEEP_TIME | 15 | Numerical value. Indicates the number of seconds the script will wait between sending queries to the API. This can be set to 0 if using a premium API key, as the sleep just helps with rate limiting with the public API |
| MIME_INCLUSIONS | [ |
A list mime types to run the script against. This must be a list of strings ie [ "string1" , "string2" , "etc" ] OR set the value to None if you wish to run against every mime-type (useful if you are filtering beforehand).A list of mime-types can be found here |
| SET_VHASH | True | Should vHash value be extracted? Set to False to NOT include it as a property |
| SET_IMPHASH | True | Should import hash value be extracted? Set to False to NOT include it as a property |
| SET_AUTHENTIHASH | True | Should Autentichash value be extracted? Set to False to NOT include it as a property |
| SET_TAGS | True | Should tags be set based on VirusTotal tags? Set to False to NOT tag items |
The script can be run from the processing GUI in workstation, or called via the API. For in-depth details on, please refer to the Worker side script examples repo here