Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-virustotal

Script types: prerule
Categories: safe, malware, external
Download: http://nmap.org/svn/scripts/http-virustotal.nse

User Summary

Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:

The scripts supports both sending a file to the server for analysis or checking whether a checksum (supplied as an argument or calculated from a local file) was previously discovered as malware.

As uploaded files are queued for analysis, this mode simply returns a URL where status of the queued file may be checked.

Script Arguments

upload

true if the file should be uploaded and scanned, false if a checksum should be calculated of the local file (default: false)

checksum

a SHA1, SHA256, MD5 checksum of a file to check

filename

the full path of the file to checksum or upload

apikey

an API key acquired from the virustotal web page

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap --script http-virustotal --script-args='apikey="<key>",checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'

Script Output

Pre-scan script results:
| http-virustotal:
|   Permalink: https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1333633817/
|   Scan date: 2012-04-05 13:50:17
|   Positives: 41
|   digests
|     SHA1: 3395856ce81f2b7382dee72602f798b642f14140
|     SHA256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
|     MD5: 44d88612fea8a8f36de82e1278abb02f
|   Results
|     name                  result                          date      version
|     AhnLab-V3             EICAR_Test_File                 20120404  2012.04.05.00
|     AntiVir               Eicar-Test-Signature            20120405  7.11.27.24
|     Antiy-AVL             AVTEST/EICAR.ETF                20120403  2.0.3.7
|     Avast                 EICAR Test-NOT virus!!!         20120405  6.0.1289.0
|     AVG                   EICAR_Test                      20120405  10.0.0.1190
|     BitDefender           EICAR-Test-File (not a virus)   20120405  7.2
|     ByteHero              -                               20120404  1.0.0.1
|     CAT-QuickHeal         EICAR Test File                 20120405  12.00
|     ClamAV                Eicar-Test-Signature            20120405  0.97.3.0
|     Commtouch             EICAR_Test_File                 20120405  5.3.2.6
|     Comodo                Exploit.EICAR-Test-File         20120405  12000
|     DrWeb                 EICAR Test File (NOT a Virus!)  20120405  7.0.1.02210
|     Emsisoft              EICAR-ANTIVIRUS-TESTFILE!IK     20120405  5.1.0.11
|     eSafe                 EICAR Test File                 20120404  7.0.17.0
|     eTrust-Vet            the EICAR test string           20120405  37.0.9841
|     F-Prot                EICAR_Test_File                 20120405  4.6.5.141
|     F-Secure              EICAR_Test_File                 20120405  9.0.16440.0
|     Fortinet              EICAR_TEST_FILE                 20120405  4.3.392.0
|     GData                 EICAR-Test-File                 20120405  22
|     Ikarus                EICAR-ANTIVIRUS-TESTFILE        20120405  T3.1.1.118.0
|     Jiangmin              EICAR-Test-File                 20120331  13.0.900
|     K7AntiVirus           EICAR_Test_File                 20120404  9.136.6595
|     Kaspersky             EICAR-Test-File                 20120405  9.0.0.837
|     McAfee                EICAR test file                 20120405  5.400.0.1158
|     McAfee-GW-Edition     EICAR test file                 20120404  2012.1
|     Microsoft             Virus:DOS/EICAR_Test_File       20120405  1.8202
|     NOD32                 Eicar test file                 20120405  7031
|     Norman                Eicar_Test_File                 20120405  6.08.03
|     nProtect              EICAR-Test-File                 20120405  2012-04-05.01
|     Panda                 EICAR-AV-TEST-FILE              20120405  10.0.3.5
|     PCTools               Virus.DOS.EICAR_test_file       20120405  8.0.0.5
|     Rising                EICAR-Test-File                 20120405  24.04.02.03
|     Sophos                EICAR-AV-Test                   20120405  4.73.0 TP
|     SUPERAntiSpyware      NotAThreat.EICAR[TestFile]      20120402  4.40.0.1006
|     Symantec              EICAR Test String               20120405  20111.2.0.82
|     TheHacker             EICAR_Test_File                 20120405  6.7.0.1.440
|     TrendMicro            Eicar_test_file                 20120405  9.500.0.1008
|     TrendMicro-HouseCall  Eicar_test_file                 20120405  9.500.0.1008
|     VBA32                 EICAR-Test-File                 20120405  3.12.16.4
|     VIPRE                 EICAR (v)                       20120405  11755
|     ViRobot               EICAR-test                      20120405  2012.4.5.5025
|_    VirusBuster           EICAR_test_file                 20120404  14.2.11.0

Requires


Author: Patrik Karlsson

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]