While delivering a temporary consulting engagement as Principal Security Engineer for one of Canadian Universities I was asked to “veto” some of software packages that students and teachers would like to install and use inside of the campus network
I will share my approach here, however would love to hear what others do with similar requests.
There is a tool called VirusTotal – The tool is free of charge and allows you to check (a) files (such as executables, msi or many other types), (b) URL with active web-pages and (c) search VirusTotal database on any previously checked items.
When you submit your query VirusTotal searches its history and if the item was previously scanned offers you to display previous results or do rescan of the item. These checks are done by using multiple Antivirus Engines. I didn’t have opportunity to get more details on the reasoning on how many AVs are executed against your request – however my results vary from 57 to 65 AV Engines.
If an URL is being checked that actual web-page code is scanned for potential exploits that I found really interesting to explore as some pages found by some engines potentially dangerous and others believe that the page is completely save.
The issue I faced was with checking large files as your single file upload to VirusTotal is limited at 150Mb. Again there is no obvious explanations how bigger files got uploaded to the database. However you can search by file hash and I used Microsoft’s File Checksum Integrity Verifier (FCIV) this propose. The interesting fact here that FCIV returns MD5 and SHA-1. However VirusTotal uses SHA-256 as its primary key but it’s able to find the correct record even if MD5 or SHA-1 is provided.
The best thing about VirusTotal – it is its APIs. You can register for free and then obtain your API key that serves as your credentials and then you can use Phyton, cURL or PHP to run multiple queries. As I’m allowed to use Windows machine only at the moment I had to dig around to find Curl for Windows which wasn’t very difficult to locate. Here is one line that was put through the cycle of all available hashes and returned JSON file for each request:
curl -v --request POST https://www.virustotal.com/vtapi/v2/file/report -d apikey=<my virustotal API key?> -d resource=<hash value from the array>
Another thing that required was to format output from VirusTotal’s JSON to “pretty JSON” using another windows utility JQ The tool is sensitive to lengths of file name and cannot process long filenames (I was using hash for json file names originally and it caused jq-win64.exe to crash)
Hope it helps some who’s facing the same goal of semi-automatically checking software for known vulnerabilities in self-automatic fashion and if you have your own approach with the tools I explained here or other instruments please share.