I cloned the repo.
The Go version is 1.19.5.
When I run make install:

➜ vt-cli git:(master) make install
go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
➜ vt-cli git:(master)

And when I run the go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt directly, nothing happens!

I'm maintaining the vt-cli package in the AUR and one user reported the failing test.
Looking at the output he provided I could quickly reproduce it and it turns out to be an upstream issue.

Reproduce (master/HEAD)

TZ='Europe/Moscow' go test ./yaml

Output:

--- FAIL: TestYAML (0.00s)
    yaml_test.go:188: 
                Error Trace:    yaml_test.go:188
                Error:          Not equal: 
                                expected: "Foo_date: 10000  # 1970-01-01 03:46:40 +0100 CET\n"
                                actual  : "Foo_date: 10000  # 1970-01-01 05:46:40 +0300 MSK\n"
                            
                                Diff:
                                --- Expected
                                +++ Actual
                                @@ -1,2 +1,2 @@
                                -Foo_date: 10000  # 1970-01-01 03:46:40 +0100 CET
                                +Foo_date: 10000  # 1970-01-01 05:46:40 +0300 MSK
                                 
                Test:           TestYAML
                Messages:       Test {10000}
FAIL
FAIL    github.com/VirusTotal/vt-cli/yaml       0.003s
FAIL

While running a larger search, I was unable to parse the Yaml results. Triaging some files details in my search results I found some .NET files analysis produce invalid Yaml output.

To reproduce:

vt search 07720ce506b5cf4ecb1b276f673c4dcc7c1c2bb0c145e2eca4b1d5a3f9abcfb5 

The error is here:

    external_assemblies: 
      : 
        version: "3488.93.146.3490"

Full broken results for this file can be found here https://gist.github.com/schrodyn/8f2c84b563b5209d516def36783a175e Tried a couple of Yaml parsers and they fail most notably the Python yaml parser and the yq utility.

Description

I encountered an issue while using the vt download command from this project on GitHub. Below, I have provided details about the problem I faced.

Issue Severity

Minor

Environment

OS: MacOS
Version: Ventura 13.4.1

Issue Details

I found the below command in the main page of this project which basically downloads all shas listed in an arbitrary text file:

cat /path/list_of_hashes.txt | vt download -

Now, if a sha doesn't exist in VT, the script doesn't ignore that sha and casts an error as below:

Error: File "sha256" not found

Expected Behavior

Ideally, one would like the script to continue processing and downloading the rest of hashes although some of them do not exist in VT but this is not the way this script works at the moment.

Can you please fix this issue?

Would be nice if more standard locations such as XDG_CONFIG_HOME (on all systems) or %APPDATA% (on Windows} were supported for easier cross-system configuration. Currently as I see only home dir is supported:

Currently there is no way to access the objects which have relationships with a seed query. It would be useful to add an optional switch for relationships

Get this crash when running this line vt an ZmM1MThiMzY4MTJiYjBiMTNhYmMwMTYwN2JhNjg2ZjI6MTYxMjgwNTE4MQ== > supplied-sample1/supplied_sample1.out.virustotaldata

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x5fd476]

goroutine 7 [running]:
net/url.(*URL).ResolveReference(0xdc3e20, 0x0, 0x0)
        /home/travis/.gimme/versions/go1.14.15.linux.amd64/src/net/url/url.go:998 +0x36
github.com/VirusTotal/vt-go.URL(0x9958c8, 0xb, 0xc000040758, 0x1, 0x1, 0x0)
        /home/travis/gopath/pkg/mod/github.com/!virus!total/[email protected]/vt.go:71 +0x89
github.com/VirusTotal/vt-cli/utils.(*APIClient).RetrieveObjects.func1(0xc0001acba0, 0xc000010a60, 0x9958c8, 0xb, 0xc000076360, 0xc0001acb40, 0xc0001b8610, 0x0, 0x7ffe7d4d16f3, 0x40)
        /home/travis/gopath/src/github.com/VirusTotal/vt-cli/utils/client.go:77 +0xb4
created by github.com/VirusTotal/vt-cli/utils.(*APIClient).RetrieveObjects
        /home/travis/gopath/src/github.com/VirusTotal/vt-cli/utils/client.go:75 +0x238

Seems like it's trying to parse the redirection from STDOUT?

Hey there,

Been using VirusTotal for a while, and vt-cli seemed perfect, until I checked our API request usage and discovered that using vt search even with the -I option results in one request being made to the API for every sample returned, the issue seems to be that the -I option doesn't actually do anything except hide the output from the user, the request is still made on the backend, what I was hoping was something more like the VT web search, except an easy way to export all results.

It'd be good to see an option that issues one API request per search, even if it's per 20-30 results, vs 1 per result, easily eating up a modestly sized quota in a matter of hours.

Hi, I downloaded the tool, and when I try to insert an API it gives me an error every time:

gzip: invalid header

I noticed a difference in the response on a network which I did not trust and a trusted network in the response, and this has led me to believe that the request method the api uses does not force an https connection when it makes the request to the virustotal url. I have not reviewed every line of code in your binary but I think that what I am seeing is compelling enough to lead me to the conclusion that your binary uses http to make the call to virus total for a response. If this is correct the program is vulnerable to man in the middle attacks. I apologize if I have opened this bug in error but the difference I am seeing in the response leads to this conclusion. Feel free to just close if the program does indeed force an https connection when using the request method. I have been experimenting at home with your software and I noticed this.

Hi,

Can you please include FreeBSD in your releases and as a target in the Makefile.

Thanks.

go1.21.1 linux/amd64 is installed (manually installed it).

I see the following error message after downloading vt-cli and running "make install"

Make install
go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
cannot find package "github.com/VirusTotal/vt-cli/vt" in any of:
/usr/local/go/src/github.com/VirusTotal/vt-cli/vt (from $GOROOT)
/home/maorhz/Documents/Code/GO/src/github.com/VirusTotal/vt-cli/vt (from $GOPATH)
make: *** [Makefile:13: install] Error 1

Any idea where this is going wrong?

The documentation says you can query a group of URLs with this syntax:

cat list_of_urls | vt url -

this is taken from the help file on the command line binary.

~/virustotal_workspace$ cat test.txt | vt url -k KEY -
URL "LQ" not found

I have replaced my API key with KEY

I have tested this same code on both Linux and Windows with PowerShell and get the same results. The commands should work on both platforms. This leads me to two possible conclusions. Either there is a problem with the documentation, or there is a problem with the code. I may grep the code to see if I can find this string, but I am working at the moment. If I am typing something wrong, please correct me. Thank you.

Could we have an option to not show the upload progress?

If I'm calling this from a script then having the progress displayed isn't as useful.

Give the possibility to get the website url of a scan just done

Hi,

I don't know if my public api won't work or skipped a line in the instructions; however, I cannot download any file with the given SHA256. I get :

$ cat hashes.txt | vt download -
ca6597375fe4738a15021d9712c30b907293756436ed3a784d2feafed010a286 [You are not authorized to perform the requested operation]
d03339104a85a196ea98e3caebda458931f2af281e5ed93f867d8caf1b157726 [You are not authorized to perform the requested operation]

the hunting notifications returns a list with a cursor, but it is just sequential order of all notifications. It would be helpful to be able to filter by specific "subject" content i.e. rule names. In the example below I'd want to filter in rules that match AV_trojan_*

Please, consider supporting Flatpak and publishing VirusTotal CLI on Flathub.

vt search "content:FirstStageDropper.dll OR content:SecondStageDropper.dll" -I -n 50
feaa627fa65c452b75522ea3633e51f1842fc7577a523d43c5ea529c8aa08713
3485c9b79dfd3e00aef9347326b9ccfee588018a608f89ecd6597da552e3872f
a09273b4cc08c39afe0c964f14cef98e532ae530eb60b93aec669731c185ea23
a09273b4cc08c39afe0c964f14cef98e532ae530eb60b93aec669731c185ea23
43f7ae58e8e5471917178430f3425061d333b736974f4b2784ca543e3093204b
a260d222dfc94b91a09485647c21acfa4a26469528ec4b1b49469db3b283eb9a
a260d222dfc94b91a09485647c21acfa4a26469528ec4b1b49469db3b283eb9a
2d7cb5ff4a449fa284721f83e352098c2fdea125f756322c90a40ad3ebc5e40d
2d7cb5ff4a449fa284721f83e352098c2fdea125f756322c90a40ad3ebc5e40d
d75de8f7a132e0eb922d4b57f1ce8db47dfcae4477817d9f737762e486283795
d75de8f7a132e0eb922d4b57f1ce8db47dfcae4477817d9f737762e486283795
3c2187bc2a16f408f3aef4cbcebaf8f03134578086bac531b827ec0f7f7612bb
3c2187bc2a16f408f3aef4cbcebaf8f03134578086bac531b827ec0f7f7612bb
a63437a044d3ad01c52b0b18016bfdb8af2338067a4216be2dcaa04ec8ecee97
bf38bea3f89a697b0be13413b0fb1db2154b3dc79fffbee238014e4adeb0b880

I'd like to see instructions on how to enable zsh tab completion added to the README. I've gotten bash completion to work, but having issues with zsh completion. Admittedly new to zsh, so not sure exactly where to put the file. I've tried using /usr/share/zsh/functions/Completion/vt, as well as ~/.oh-my-zsh/completions, but this doesn't seem to work.

Best

Downloaded the most recent (vt-cli 0.6.1) 64bit binary but it's somehow not working.
Running ./vt init and providing the API key returns:

Get https://[my_hostname]/api/v3/metadata: Forbidden

Providing the API key via the command line returns (using verbose mode), e.g.:

* API key: [my_API key]
* API host: [my_hostname]
Get https://[my_hostname]/api/v3/files/8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85: Forbidden

On another openSUSE Leap 42.3 I get the following message:

Get https:// [...] dial tcp: lookup [my_FQDN] on 192.168.1.1:53 no such host

When I try to download any file of the virus of the error [You are not authorized to perform the requisted operation]. Can you help me?

Print: https://i.imgur.com/f1UpC8c.png

I'd like to apt get vt-cli. Not sure what the process is here?

I wanted to check my current vt CLI version (Homebrew) and was surprised to see vt version didn't print any version number.

So I checked out the repo to find out this is a current problem:

$ make
$ make install
$ ~/go/bin/vt version
vt-cli 

And I verified on an old setup, this isn't a regression as of commit 031203cad77b.

Hi, My usecase is just submitting a file to vt for checking and then looking over the report. Can you demo how to do that (sorry!).

Many thanks,

Hi,
I've been trying to install the vt-cli tool but i keep get the same error while using
make install
The Error it gives me is:

go install -ldflags "-X github.com/VirusTotal/vt-cli/cmd.Version=" github.com/VirusTotal/vt-cli/vt
/bin/sh: 1: go: not found
make: *** [Makefile:13: install] Error 127

Please assist, I don't know what to do from this point..

For post processing or feeding into other tools, it would be very useful to be able to convert output into JSON (and potentially CSV).

Hello i am using Windows and sub system linux shell i have problem about vt init also output there is vt: command not found.

If I try to init vt-cli, I get the following error and start the init process again:

molinajavier@jramirez-samples:~$ vt
[+] Config setup start
        [0] .vtapi
        [1] vtapi.conf
        [2] ~/.vtapi
        [3] ~/vtapi.conf
[+] Select option, where you want to create config, or type custom path:1
[+] Provide your apikey: $myapikey
[+] Your apikey is pubic/private:private
[+] You have access to VT intelligence True/False:False
[optional] Your username for weblogin, only for rule menagment$user
[optional] Your password for weblogin, only for rule menagment$pass
[optional] Rule match notification email$email
[optional] Share rules with user$user2
a bytes-like object is required, not 'str'
[+] Config setup start
        [0] .vtapi
        [1] vtapi.conf
        [2] ~/.vtapi
        [3] ~/vtapi.conf
[+] Select option, where you want to create config, or type custom path:

If I abort the process, the configuration file is created empty and the tool can't be used.

i downloaded the binary package and i am kinda high and i need help installing this, please senapi help.

I successfully cloned and installed vt on OS X 12.0.1 but when I type vt I get -bash: vt: command not found.

I installed gccgo-go then virus total cli

but vt cannot be initialized

I tried using the --verbose flag once, just to see what it does, and now it is forever enabled even after several OS X reboots. How can I turn it off? I really don't need all that verbiage, which gets in the way of testing different command options and scripts. There is no --quiet flag.

how can i add my proxy in the command ? i tried to search but couldn't find a parameter to use to add my proxy
because all my devices are behind a proxy

I am using a tool that auto-extracts archives (ExtractNow) and it has the option to run commands and run external programs after completion.

It has many variables, such as %DestinationFolder%, but not the variable for the files.

I am trying to set it up to scan the folder after extraction, but it says it's invalid.

I get the same error when I try to manually scan any folder.

Any ideas?

I think we need a feature that can help do some conditional formatting for the results. Like I just want to have results for the categories that are malicious. not everything.

When the only thing you want is to upload a file/url and get the verdicts back, the existing method is a bit cumbersome. The vt scan command returns an analysis ID that then you need to use with vt analysis in order to get the analysis results. And you may need to call vt analysis multiple times until the analysis is completed.

It would be great if this process can be simplified.

I'm trying to upload a file using vt scan file "C:\Users\david\Downloads\JetBrains.dotUltimate.2021.1.3.exe" -k xxxxxxx.

The file uploads and then I get the following:

C:\Users\david\Downloads\JetBrains.dotUltimate.2021.1.3.exe uploading... 99.1%

C:\Users\david\Downloads\JetBrains.dotUltimate.2021.1.3.exe scanning...

Expecting JSON response from POST https://www.virustotal.com/_ah/upload/really-long-url/

I assume the upload failed because when I search for the sha256 on the website, it doesn't find anything.

Summary

With the vt domain subdomains <subdomain> -n 10000 query, it only returns more than 100 results in a single query, and the command does not return with a cursor - therefore it does not appear to be possible to query for

Expected Behavior

The command should yield either a cursor value for the user to make multiple queries, or make it automatically continue until the desired amount of results is reached.

ㄤ

What am I doing wrong? Why the "vt" command doesn't work for me.
I did the following actions:

1. git clone https://github.com/VirusTotal/vt-cli

2. cd vt-cli

3. make install

4. sudo apt-get install bash-completion

5. When, after all the points I had done, I wrote "vt", then I was written that
   

6. I thought that it was necessary and took installed vt, which was recommended by kali linux itself, but as it turns out later - this is absolutely not what I need

7. I even tried "export PATH=$PATH:'go env GOPATH'/bin" to fix it somehow, but it didn't help, I don't know what to do, please help
   even just $GOPATH doesn't work for me, even though I installed:

8. sudo apt-get golang installation

9. sudo apt-get gccgo installation-go

Hi VT!

We love the behash value found here: https://developers.virustotal.com/reference/file-behaviour-summary

However, we would like to use this value across multiple dynamic analysis / file behaviour feeds, some that are not from VT, in order to relate similar runs.

Would you be able to clarify how to calculate that behash value such that we would be able to reproduce it given a set of input values? Or is the calculation somewhere in a repository somewhere that I could be directed to?

Thanks,

Kevin

Hi!
Completions for fish shell can be easy added using standart cobra lib function:

cmd.GenFishCompletion()

If you don't mind, I'll do it, test it and send you a pull-request ASAP.

Right now there's no way for updating the YARA rules of some existing ruleset.

The tool does not download files from VirusTotal and fails without an error. I was able to track it down to an improper URL provided by the VT API. When client.GetData(u, &downloadURL) is called on line 39 in cmd/download.go the json response from the API looks something like this:

{
    "data": "https://vtsamples.commondatastorage.googleapis.com...&response-content-disposition=attachment; filename=\"...\"&response-content-type=application/octet-stream;"
}

The returned data is treated as an URL but it is either not properly encoded or contains some data that it shouldn't.

I wonder if the cli can support the behavior just like the web GUI, sometimes, a large file just scanned a few hours ago, and it actually came from an authorized source that doesn't worry us to scan and wait for the result again, just hours or even minutes later after the last scanning. That feature could also saving the resources on VirtusTotal!