Didier Stevens

Wednesday 30 May 2012

Update: virustotal-search

Filed under: Malware,My Software,Update — Didier Stevens @ 9:04

I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then).

What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database.

If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force.

And if you don’t want to include your API key in the program source code, you have two alternatives:

  1. use option –key and provide the API key on the command line
  2. define environment variable VIRUSTOTAL_API2_KEY with the your API key

virustotal-search_V0_0_3.zip (https)
MD5: 89D48483B8CF48A11A26314CC3A7631C
SHA256: A66A264A772CB9AEE356E1CF902E93FCA8CDE77233A09DB4999BCF15FA45EDF9


  1. […] stworzył wyszukiwarkę w Pythonie dla VirusTotal, która po hashu pliku, wyszukuje stare raporty.https://blog.didierstevens.com/2012/05/30/update-virustotal-search/https://blog.didierstevens.com/2012/05/21/searching-with-virustotal/ Przy okazji warto wspomnieć o […]

    Pingback by Security News » Wyszukiwarka VirusTotal — Friday 1 June 2012 @ 10:42

  2. Hi Didier,

    I’ve added my feature to your version 0.0.3. Instead of -f it is now called -g ‘genhash’. Also added a -s –short feature. This will cause the program to only print the hash, score and url. If you like it perhaps its worth adding to your blog. With this new functionality I will be able to use it at work tomorrow to determine if a binary was already uploaded to VT and see the score directly.

    Next couple of days I’ll spend reading some more of your blog. Curious what you write about.

    Here’s my version: http://pastebin.com/nw92G0QX


    Comment by TecToDo — Monday 4 June 2012 @ 23:39

  3. This one is better: http://pastebin.com/BDBWhiRj

    Comment by TecToDo — Tuesday 5 June 2012 @ 8:48

  4. @TecToDo Thanks, I’ll take a look & merge, maybe with some tweaks.

    Comment by Didier Stevens — Tuesday 5 June 2012 @ 11:40

  5. […] Now, this does not mean that these executables are compromised. To get a better idea, I can use my virustotal-search tool to search […]

    Pingback by Searching For That Adobe Cert « Didier Stevens — Monday 1 October 2012 @ 19:29

  6. As you know VT stores multiple scans per file. Do you know of any way to get only the results from the first scan of a list of hashes? Your script returns the latest scan result per file.

    Comment by embrollo — Thursday 13 December 2012 @ 7:45

  7. @embrollo My script uses VirusTotal’s Public API version 2.0. When searching for a hash, that API returns the most recent scan:
    > a md5/sha1/sha256 hash will retrieve the most recent report on a given sample.

    To access a given report, you need to know the scan_id:
    > You may also specify a scan_id (sha256-timestamp as returned by the file upload API) to access a specific report.

    Comment by Didier Stevens — Thursday 13 December 2012 @ 12:26

  8. Thanks for the answer Didier. Unfortunately that’s not exactly what I’m looking for as I won’t know the scan_id beforehand. I’ll get in touch with Emiliano & Julio to see if they can add that feature to the API.

    Comment by embrollo — Tuesday 18 December 2012 @ 8:58

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

%d bloggers like this: