• Translate:

The Hash Tool: Check for malware files using VirusTotal.com

Introduction

As of version 19.05.01, FileVoyager contains an integration with the famous site VirusTotal.com. With this integration, FileVoyager is able to query the VirusTotal database and report the malware potential of the submitted files.

I will not explain in depth how VirusTotal.com works. But to have an idea, here’s how it’s described in the related Wikipedia article:

VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user’s own antivirus may have missed, or to verify against any false positives. Files up to 256 MB can be uploaded to the website or sent via email. Anti-virus software vendors can receive copies of files that were flagged by other scans but passed by their own engine, to help improve their software and, by extension, VirusTotal’s own capability. Users can also scan suspect URLs and search through the VirusTotal dataset.

To query the VirusTotal database, we need to submit to the site the hashes of the files that need to be checked. Only the hashes are sent to VirusTotal.com, the file data is not sent.
Because we need to compute the hashes, the integration with VirusTotal is possible through the Hash Tool.

Configuring to query VirusTotal.com

To check files, proceed as follow:

  1. Select one or more files or folders in FileVoyager (if you don’t know how to select items, read this documentation page)
  2. Open the Hash Tool (see documentation of the Hash Tool if necessary)
  3. In the Hash Tool config, tick the Check with VirusTotal checkbox. Checking that box will automatically select the SHA-1 and MD5 algorithms (see red arrows in the image below). VirusTotal.com need to be queried with one of those two algorithms’ hashes, that’s why you will not be able to deselect them.
  4. And the click on the “Compute hashes” button.

The VirusTotal API key

To query VirusTotal.com, an API key is necessary. Getting an API key is pretty easy. You just have to Sign up to VirusTotal Community. Once you have a valid VirusTotal Community account, you will find your personal API key in your Community profile. This key is all you need to use VirusTotal’s API.
With a free API key, you have some limitation though:

  • When you query reports for multiple files at once, only the 4 first reports will be returned.
  • You are limited to 4 reports per minute

You can get rid of those limitations by purchasing a Private API at VirusTotal.com.

FileVoyager comes with its own API key. But it means that the API key is mutualized among worldwide users. If there’s a peak in queries, it could happen that you’re not able to get VirusTotal reports. That’s why it’s strongly recommended that you sign up to VirusTotal.com, get your free API and use it in FileVoyager.
When you click on the Compute Hash button (see image above), FileVoyager gives you the opportunity to introduce your own API key in this screen.

You can ignore this step and click Use FV’s internal key, but there’s then no guarantee that the check for malware will return reports.

The VirusTotal report

In the configuration screen above, I’ve selected 5 files to check against VirusTotal database.

  • Three .exe files from the web
  • One .txt file that is a malware (don’t be afraid, it’s just a malware test file from eicar.org).
  • One .mf file that is supposed to be only on my machine

The resulting window is the following

I will only explain the VirusTotal part here. To know more about the rest of the feature of this window, refer to the documentation of the Hash Tool.

  1. In the red frame 1, the column where the VirusTotal reports are.
    • Two numbers appear in the column: xx/yy
      • xx is the number of positive
      • yy is the number of anti-malware used to scan that file
    • A flag icon represents the status of the file in the VirusTotal database
      • Green flag means 0 positive detected. The file is more likely safe
      • Yellow flag means that between 1% and 25% of the antiviruses have classified the file as malware
      • Red flag (with warning sign) means that more than 25% of the antiviruses have classified the file as a malware
      • White flag means that the file is unknown at VirusTotal, or that no response has been returned by VirusTotal, probably due to the limitations of the free API key.
  2. In the red frame 2, the specific details of the file that is selected in the list.
    A click on the “Online report” opens the browser straight into the VirusTotal.com page of the selected file. There, a full detailed report is available.
  3. The red frame 3 shows the overall report summary of the current query
  4. The button “Change VirusTotal API Key” opens the window where you can input your API key

Submit file to VirusTotal.com

When the flag is white, and the status is Unknown, it means that the file has never been scanned for malware by VirusTotal.
In that case, you can, if you want, submit the file to the VirusTotal site for a scan.
Just select the file in the list and, in the VirusTotal report pane, a button will appear. Click it and you will be prompted to upload your file.

When you submit a file, it’s status will change into “Busy…”, with a magnifier icon. This means that the file was successfully uploaded to VirusTotal.

It may take a moment until VirusTotal has processed the file.
From here, FileVoyager will not try to get the new report, so it’s up to you to return to the config and query the report again.
In the above example, I’ve waiting less than a minute before retrying, and the report was successfully returned

The Hash Tool: Check for malware files using VirusTotal.com was last modified: May 4th, 2019 by FileVoyager (Author)

Comments are closed.