virustotal / vt-cli Goto Github PK
View Code? Open in Web Editor NEWVirusTotal Command Line Interface
Home Page: https://virustotal.github.io/vt-cli/
License: Apache License 2.0
VirusTotal Command Line Interface
Home Page: https://virustotal.github.io/vt-cli/
License: Apache License 2.0
While running a larger search, I was unable to parse the Yaml results. Triaging some files details in my search results I found some .NET files analysis produce invalid Yaml output.
To reproduce:
vt search 07720ce506b5cf4ecb1b276f673c4dcc7c1c2bb0c145e2eca4b1d5a3f9abcfb5
The error is here:
external_assemblies:
:
version: "3488.93.146.3490"
Full broken results for this file can be found here https://gist.github.com/schrodyn/8f2c84b563b5209d516def36783a175e Tried a couple of Yaml parsers and they fail most notably the Python yaml parser and the yq utility.
When I try to download any file of the virus of the error [You are not authorized to perform the requisted operation]. Can you help me?
ㄤ
I successfully cloned and installed vt
on OS X 12.0.1 but when I type vt
I get -bash: vt: command not found
.
I'd like to apt get vt-cli. Not sure what the process is here?
I noticed a difference in the response on a network which I did not trust and a trusted network in the response, and this has led me to believe that the request method the api uses does not force an https connection when it makes the request to the virustotal url. I have not reviewed every line of code in your binary but I think that what I am seeing is compelling enough to lead me to the conclusion that your binary uses http to make the call to virus total for a response. If this is correct the program is vulnerable to man in the middle attacks. I apologize if I have opened this bug in error but the difference I am seeing in the response leads to this conclusion. Feel free to just close if the program does indeed force an https connection when using the request method. I have been experimenting at home with your software and I noticed this.
I'd like to see instructions on how to enable zsh tab completion added to the README. I've gotten bash completion to work, but having issues with zsh completion. Admittedly new to zsh, so not sure exactly where to put the file. I've tried using /usr/share/zsh/functions/Completion/vt, as well as ~/.oh-my-zsh/completions, but this doesn't seem to work.
Best
Right now there's no way for updating the YARA rules of some existing ruleset.
i downloaded the binary package and i am kinda high and i need help installing this, please senapi help.
Hi!
Completions for fish shell can be easy added using standart cobra lib function:
cmd.GenFishCompletion()
If you don't mind, I'll do it, test it and send you a pull-request ASAP.
Downloaded the most recent (vt-cli 0.6.1) 64bit binary but it's somehow not working.
Running ./vt init
and providing the API key returns:
Get https://[my_hostname]/api/v3/metadata: Forbidden
Providing the API key via the command line returns (using verbose mode), e.g.:
* API key: [my_API key]
* API host: [my_hostname]
Get https://[my_hostname]/api/v3/files/8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85: Forbidden
On another openSUSE Leap 42.3 I get the following message:
Get https:// [...] dial tcp: lookup [my_FQDN] on 192.168.1.1:53 no such host
I cloned the repo.
The Go version is 1.19.5.
When I run make install
:
➜ vt-cli git:(master) make install
go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
➜ vt-cli git:(master)
And when I run the go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
directly, nothing happens!
how can i add my proxy in the command ? i tried to search but couldn't find a parameter to use to add my proxy
because all my devices are behind a proxy
Hi VT!
We love the behash
value found here: https://developers.virustotal.com/reference/file-behaviour-summary
However, we would like to use this value across multiple dynamic analysis / file behaviour feeds, some that are not from VT, in order to relate similar runs.
Would you be able to clarify how to calculate that behash
value such that we would be able to reproduce it given a set of input values? Or is the calculation somewhere in a repository somewhere that I could be directed to?
Thanks,
Kevin
Give the possibility to get the website url of a scan just done
vt search "content:FirstStageDropper.dll OR content:SecondStageDropper.dll" -I -n 50
feaa627fa65c452b75522ea3633e51f1842fc7577a523d43c5ea529c8aa08713
3485c9b79dfd3e00aef9347326b9ccfee588018a608f89ecd6597da552e3872f
a09273b4cc08c39afe0c964f14cef98e532ae530eb60b93aec669731c185ea23
a09273b4cc08c39afe0c964f14cef98e532ae530eb60b93aec669731c185ea23
43f7ae58e8e5471917178430f3425061d333b736974f4b2784ca543e3093204b
a260d222dfc94b91a09485647c21acfa4a26469528ec4b1b49469db3b283eb9a
a260d222dfc94b91a09485647c21acfa4a26469528ec4b1b49469db3b283eb9a
2d7cb5ff4a449fa284721f83e352098c2fdea125f756322c90a40ad3ebc5e40d
2d7cb5ff4a449fa284721f83e352098c2fdea125f756322c90a40ad3ebc5e40d
d75de8f7a132e0eb922d4b57f1ce8db47dfcae4477817d9f737762e486283795
d75de8f7a132e0eb922d4b57f1ce8db47dfcae4477817d9f737762e486283795
3c2187bc2a16f408f3aef4cbcebaf8f03134578086bac531b827ec0f7f7612bb
3c2187bc2a16f408f3aef4cbcebaf8f03134578086bac531b827ec0f7f7612bb
a63437a044d3ad01c52b0b18016bfdb8af2338067a4216be2dcaa04ec8ecee97
bf38bea3f89a697b0be13413b0fb1db2154b3dc79fffbee238014e4adeb0b880
Could we have an option to not show the upload progress?
If I'm calling this from a script then having the progress displayed isn't as useful.
Hi!
Thank you for this useful CLI tool.
I tested this tool on itself: vt.exe scan file --open --wait vt.exe
There is the resulting report: https://www.virustotal.com/gui/file/0ebdeefa3026aba7ee753059c78daceb8b89b6e2a4e1276d767bd117e9db9b94
There are 3 positive detection results:
Those results look like false positives, but I'd be curiouse what you think about them.
The documentation says you can query a group of URLs with this syntax:
cat list_of_urls | vt url -
this is taken from the help file on the command line binary.
~/virustotal_workspace$ cat test.txt | vt url -k KEY -
URL "LQ" not found
I have replaced my API key with KEY
I have tested this same code on both Linux and Windows with PowerShell and get the same results. The commands should work on both platforms. This leads me to two possible conclusions. Either there is a problem with the documentation, or there is a problem with the code. I may grep the code to see if I can find this string, but I am working at the moment. If I am typing something wrong, please correct me. Thank you.
With the vt domain subdomains <subdomain> -n 10000
query, it only returns more than 100 results in a single query, and the command does not return with a cursor
- therefore it does not appear to be possible to query for
The command should yield either a cursor value for the user to make multiple queries, or make it automatically continue until the desired amount of results is reached.
I think we need a feature that can help do some conditional formatting for the results. Like I just want to have results for the categories that are malicious. not everything.
Currently there is no way to access the objects which have relationships with a seed query. It would be useful to add an optional switch for relationships
I wanted to check my current vt CLI version (Homebrew) and was surprised to see vt version
didn't print any version number.
So I checked out the repo to find out this is a current problem:
$ make
$ make install
$ ~/go/bin/vt version
vt-cli
And I verified on an old setup, this isn't a regression as of commit 031203cad77b
.
I'm maintaining the vt-cli package in the AUR and one user reported the failing test.
Looking at the output he provided I could quickly reproduce it and it turns out to be an upstream issue.
TZ='Europe/Moscow' go test ./yaml
Output:
--- FAIL: TestYAML (0.00s)
yaml_test.go:188:
Error Trace: yaml_test.go:188
Error: Not equal:
expected: "Foo_date: 10000 # 1970-01-01 03:46:40 +0100 CET\n"
actual : "Foo_date: 10000 # 1970-01-01 05:46:40 +0300 MSK\n"
Diff:
--- Expected
+++ Actual
@@ -1,2 +1,2 @@
-Foo_date: 10000 # 1970-01-01 03:46:40 +0100 CET
+Foo_date: 10000 # 1970-01-01 05:46:40 +0300 MSK
Test: TestYAML
Messages: Test {10000}
FAIL
FAIL github.com/VirusTotal/vt-cli/yaml 0.003s
FAIL
C:\Users\Rony>vt file relationships 35d7741c0a86d0bf34591fae69161028492d17f2d3e36a5a25c6298012a1f886 -i contacted_urls
behaviours:
-
-
bundled_files:
-
comments:
-
-
contacted_ips:
-
contacted_urls:
-
sigma_analysis:
-
Hi,
I've been trying to install the vt-cli tool but i keep get the same error while using
make install
The Error it gives me is:
go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
/bin/sh: 1: go: not found
make: *** [Makefile:13: install] Error 127
Please assist, I don't know what to do from this point..
I'm trying to upload a file using vt scan file "C:\Users\david\Downloads\JetBrains.dotUltimate.2021.1.3.exe" -k xxxxxxx
.
The file uploads and then I get the following:
C:\Users\david\Downloads\JetBrains.dotUltimate.2021.1.3.exe uploading... 99.1%
C:\Users\david\Downloads\JetBrains.dotUltimate.2021.1.3.exe scanning...
Expecting JSON response from POST https://www.virustotal.com/_ah/upload/really-long-url/
I assume the upload failed because when I search for the sha256 on the website, it doesn't find anything.
What am I doing wrong? Why the "vt" command doesn't work for me.
I did the following actions:
git clone https://github.com/VirusTotal/vt-cli
cd vt-cli
make install
sudo apt-get install bash-completion
When, after all the points I had done, I wrote "vt", then I was written that
I thought that it was necessary and took installed vt, which was recommended by kali linux itself, but as it turns out later - this is absolutely not what I need
I even tried "export PATH=$PATH:'go env GOPATH'/bin" to fix it somehow, but it didn't help, I don't know what to do, please help
even just $GOPATH doesn't work for me, even though I installed:
sudo apt-get golang installation
sudo apt-get gccgo installation-go
Hi,
Can you please include FreeBSD in your releases and as a target in the Makefile.
Thanks.
Hi,
I don't know if my public api won't work or skipped a line in the instructions; however, I cannot download any file with the given SHA256. I get :
$ cat hashes.txt | vt download -
ca6597375fe4738a15021d9712c30b907293756436ed3a784d2feafed010a286 [You are not authorized to perform the requested operation]
d03339104a85a196ea98e3caebda458931f2af281e5ed93f867d8caf1b157726 [You are not authorized to perform the requested operation]
Get this crash when running this line vt an ZmM1MThiMzY4MTJiYjBiMTNhYmMwMTYwN2JhNjg2ZjI6MTYxMjgwNTE4MQ== > supplied-sample1/supplied_sample1.out.virustotaldata
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x5fd476]
goroutine 7 [running]:
net/url.(*URL).ResolveReference(0xdc3e20, 0x0, 0x0)
/home/travis/.gimme/versions/go1.14.15.linux.amd64/src/net/url/url.go:998 +0x36
github.com/VirusTotal/vt-go.URL(0x9958c8, 0xb, 0xc000040758, 0x1, 0x1, 0x0)
/home/travis/gopath/pkg/mod/github.com/!virus!total/[email protected]/vt.go:71 +0x89
github.com/VirusTotal/vt-cli/utils.(*APIClient).RetrieveObjects.func1(0xc0001acba0, 0xc000010a60, 0x9958c8, 0xb, 0xc000076360, 0xc0001acb40, 0xc0001b8610, 0x0, 0x7ffe7d4d16f3, 0x40)
/home/travis/gopath/src/github.com/VirusTotal/vt-cli/utils/client.go:77 +0xb4
created by github.com/VirusTotal/vt-cli/utils.(*APIClient).RetrieveObjects
/home/travis/gopath/src/github.com/VirusTotal/vt-cli/utils/client.go:75 +0x238
Seems like it's trying to parse the redirection from STDOUT?
go1.21.1 linux/amd64 is installed (manually installed it).
I see the following error message after downloading vt-cli and running "make install"
Make install
go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
cannot find package "github.com/VirusTotal/vt-cli/vt" in any of:
/usr/local/go/src/github.com/VirusTotal/vt-cli/vt (from $GOROOT)
/home/maorhz/Documents/Code/GO/src/github.com/VirusTotal/vt-cli/vt (from $GOPATH)
make: *** [Makefile:13: install] Error 1
Any idea where this is going wrong?
Hello i am using Windows and sub system linux shell i have problem about vt init also output there is vt: command not found.
I encountered an issue while using the vt download command from this project on GitHub. Below, I have provided details about the problem I faced.
Minor
OS: MacOS
Version: Ventura 13.4.1
I found the below command in the main page of this project which basically downloads all shas listed in an arbitrary text file:
cat /path/list_of_hashes.txt | vt download -
Now, if a sha doesn't exist in VT, the script doesn't ignore that sha and casts an error as below:
Error: File "sha256" not found
Ideally, one would like the script to continue processing and downloading the rest of hashes although some of them do not exist in VT but this is not the way this script works at the moment.
Can you please fix this issue?
Hi, I downloaded the tool, and when I try to insert an API it gives me an error every time:
gzip: invalid header
I wonder if the cli can support the behavior just like the web GUI, sometimes, a large file just scanned a few hours ago, and it actually came from an authorized source that doesn't worry us to scan and wait for the result again, just hours or even minutes later after the last scanning. That feature could also saving the resources on VirtusTotal!
Hi, My usecase is just submitting a file to vt for checking and then looking over the report. Can you demo how to do that (sorry!).
Many thanks,
I tried using the --verbose
flag once, just to see what it does, and now it is forever enabled even after several OS X reboots. How can I turn it off? I really don't need all that verbiage, which gets in the way of testing different command options and scripts. There is no --quiet
flag.
Would be nice if more standard locations such as XDG_CONFIG_HOME
(on all systems) or %APPDATA%
(on Windows} were supported for easier cross-system configuration. Currently as I see only home dir is supported:
Line 71 in bfea504
For post processing or feeding into other tools, it would be very useful to be able to convert output into JSON (and potentially CSV).
If I try to init vt-cli, I get the following error and start the init process again:
molinajavier@jramirez-samples:~$ vt
[+] Config setup start
[0] .vtapi
[1] vtapi.conf
[2] ~/.vtapi
[3] ~/vtapi.conf
[+] Select option, where you want to create config, or type custom path:1
[+] Provide your apikey: $myapikey
[+] Your apikey is pubic/private:private
[+] You have access to VT intelligence True/False:False
[optional] Your username for weblogin, only for rule menagment$user
[optional] Your password for weblogin, only for rule menagment$pass
[optional] Rule match notification email$email
[optional] Share rules with user$user2
a bytes-like object is required, not 'str'
[+] Config setup start
[0] .vtapi
[1] vtapi.conf
[2] ~/.vtapi
[3] ~/vtapi.conf
[+] Select option, where you want to create config, or type custom path:
If I abort the process, the configuration file is created empty and the tool can't be used.
When the only thing you want is to upload a file/url and get the verdicts back, the existing method is a bit cumbersome. The vt scan
command returns an analysis ID that then you need to use with vt analysis
in order to get the analysis results. And you may need to call vt analysis
multiple times until the analysis is completed.
It would be great if this process can be simplified.
The tool does not download files from VirusTotal and fails without an error. I was able to track it down to an improper URL provided by the VT API. When client.GetData(u, &downloadURL)
is called on line 39 in cmd/download.go the json response from the API looks something like this:
{
"data": "https://vtsamples.commondatastorage.googleapis.com...&response-content-disposition=attachment; filename=\"...\"&response-content-type=application/octet-stream;"
}
The returned data is treated as an URL but it is either not properly encoded or contains some data that it shouldn't.
Hey there,
Been using VirusTotal for a while, and vt-cli seemed perfect, until I checked our API request usage and discovered that using vt search
even with the -I
option results in one request being made to the API for every sample returned, the issue seems to be that the -I
option doesn't actually do anything except hide the output from the user, the request is still made on the backend, what I was hoping was something more like the VT web search, except an easy way to export all results.
It'd be good to see an option that issues one API request per search, even if it's per 20-30 results, vs 1 per result, easily eating up a modestly sized quota in a matter of hours.
I am using a tool that auto-extracts archives (ExtractNow) and it has the option to run commands and run external programs after completion.
It has many variables, such as %DestinationFolder%, but not the variable for the files.
I am trying to set it up to scan the folder after extraction, but it says it's invalid.
I get the same error when I try to manually scan any folder.
Any ideas?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.