File http-virustotal
Script types:
prerule
Categories:
safe, malware, external
Download: http://nmap.org/svn/scripts/http-virustotal.nse
User Summary
Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:
The scripts supports both sending a file to the server for analysis or checking whether a checksum (supplied as an argument or calculated from a local file) was previously discovered as malware.
As uploaded files are queued for analysis, this mode simply returns a URL where status of the queued file may be checked.
Script Arguments
upload
true if the file should be uploaded and scanned, false if a checksum should be calculated of the local file (default: false)
checksum
a SHA1, SHA256, MD5 checksum of a file to check
filename
the full path of the file to checksum or upload
apikey
an API key acquired from the virustotal web page
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap --script http-virustotal --script-args='apikey="<key>",checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'
Script Output
Pre-scan script results: | http-virustotal: | Permalink: https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1333633817/ | Scan date: 2012-04-05 13:50:17 | Positives: 41 | digests | SHA1: 3395856ce81f2b7382dee72602f798b642f14140 | SHA256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f | MD5: 44d88612fea8a8f36de82e1278abb02f | Results | name result date version | AhnLab-V3 EICAR_Test_File 20120404 2012.04.05.00 | AntiVir Eicar-Test-Signature 20120405 7.11.27.24 | Antiy-AVL AVTEST/EICAR.ETF 20120403 2.0.3.7 | Avast EICAR Test-NOT virus!!! 20120405 6.0.1289.0 | AVG EICAR_Test 20120405 10.0.0.1190 | BitDefender EICAR-Test-File (not a virus) 20120405 7.2 | ByteHero - 20120404 1.0.0.1 | CAT-QuickHeal EICAR Test File 20120405 12.00 | ClamAV Eicar-Test-Signature 20120405 0.97.3.0 | Commtouch EICAR_Test_File 20120405 5.3.2.6 | Comodo Exploit.EICAR-Test-File 20120405 12000 | DrWeb EICAR Test File (NOT a Virus!) 20120405 7.0.1.02210 | Emsisoft EICAR-ANTIVIRUS-TESTFILE!IK 20120405 5.1.0.11 | eSafe EICAR Test File 20120404 7.0.17.0 | eTrust-Vet the EICAR test string 20120405 37.0.9841 | F-Prot EICAR_Test_File 20120405 4.6.5.141 | F-Secure EICAR_Test_File 20120405 9.0.16440.0 | Fortinet EICAR_TEST_FILE 20120405 4.3.392.0 | GData EICAR-Test-File 20120405 22 | Ikarus EICAR-ANTIVIRUS-TESTFILE 20120405 T3.1.1.118.0 | Jiangmin EICAR-Test-File 20120331 13.0.900 | K7AntiVirus EICAR_Test_File 20120404 9.136.6595 | Kaspersky EICAR-Test-File 20120405 9.0.0.837 | McAfee EICAR test file 20120405 5.400.0.1158 | McAfee-GW-Edition EICAR test file 20120404 2012.1 | Microsoft Virus:DOS/EICAR_Test_File 20120405 1.8202 | NOD32 Eicar test file 20120405 7031 | Norman Eicar_Test_File 20120405 6.08.03 | nProtect EICAR-Test-File 20120405 2012-04-05.01 | Panda EICAR-AV-TEST-FILE 20120405 10.0.3.5 | PCTools Virus.DOS.EICAR_test_file 20120405 8.0.0.5 | Rising EICAR-Test-File 20120405 24.04.02.03 | Sophos EICAR-AV-Test 20120405 4.73.0 TP | SUPERAntiSpyware NotAThreat.EICAR[TestFile] 20120402 4.40.0.1006 | Symantec EICAR Test String 20120405 20111.2.0.82 | TheHacker EICAR_Test_File 20120405 6.7.0.1.440 | TrendMicro Eicar_test_file 20120405 9.500.0.1008 | TrendMicro-HouseCall Eicar_test_file 20120405 9.500.0.1008 | VBA32 EICAR-Test-File 20120405 3.12.16.4 | VIPRE EICAR (v) 20120405 11755 | ViRobot EICAR-test 20120405 2012.4.5.5025 |_ VirusBuster EICAR_test_file 20120404 14.2.11.0
Requires
Author: Patrik Karlsson
License: Same as Nmap--See http://nmap.org/book/man-legal.html