Update: this script has been update and renamed to OVScan. Please use the new version.
VirusTotal is a free service offered by Hispasec systems which scans the submitted files with a large number of AV engines (currently more than 30) and shows you the result. Disclaimer: I have no affiliation with them or any other such service. While the results do not guarantee anything (having in mind that every engine can have false positives and malware which it doesn’t detect), still it offers a much more detailed result than scanning with a single AV engine.
This unofficial uploader was written to make it possible to submit multiple files in a batch mode and to make it possible to produce reports automatically. It is written in Perl and should run on most platforms Perl is available (for Windows you can use ActivePerl)
The software (script) is released under the GPLv3. The supported command line option currently are:
vtuploader.pl [options] [file masks] Options: -n --no-distrib The sample is not distributed to AV vendors -h --help Displays this help -v --verbose Output detailed information about the progress -b --bb-code Output the result as BBCode -c --csv Output the result as CSV -t --tab Output the result as tab delimited file -m --html Output the result as HTML -l --log=[file] Save the output (the result of the scans) to the specified day File masks: Specifies a file or a group of files to upload and scan
An example result can be seen below:
File name | vtuploader.pl | ||
---|---|---|---|
Antivirus | Version | Last update | Result |
AVG | 7.5.0.476 | 2007.08.12 | – |
AhnLab-V3 | 2007.8.9.2 | 2007.08.10 | – |
AntiVir | 7.4.0.60 | 2007.08.12 | – |
Authentium | 4.93.8 | 2007.08.11 | – |
Avast | 4.7.1029.0 | 2007.08.12 | – |
BitDefender | 7.2 | 2007.08.12 | – |
CAT-QuickHeal | 9.00 | 2007.08.11 | – |
ClamAV | 0.91 | 2007.08.12 | – |
DrWeb | 4.33 | 2007.08.12 | – |
Ewido | 4.0 | 2007.08.12 | – |
F-Prot | 4.3.2.48 | 2007.08.10 | – |
F-Secure | 6.70.13030.0 | 2007.08.12 | – |
FileAdvisor | 1 | 2007.08.12 | – |
Fortinet | 2.91.0.0 | 2007.08.12 | – |
Ikarus | T3.1.1.12 | 2007.08.12 | – |
Kaspersky | 4.0.2.24 | 2007.08.12 | – |
McAfee | 5095 | 2007.08.10 | – |
Microsoft | 1.2704 | 2007.08.12 | – |
NOD32v2 | 2454 | 2007.08.12 | – |
Norman | 5.80.02 | 2007.08.10 | – |
Panda | 9.0.0.4 | 2007.08.12 | – |
Prevx1 | V2 | 2007.08.12 | – |
Rising | 19.35.62.00 | 2007.08.12 | – |
Sophos | 4.20.0 | 2007.08.12 | – |
Sunbelt | 2.2.907.0 | 2007.08.11 | – |
Symantec | 10 | 2007.08.12 | – |
TheHacker | 6.1.7.167 | 2007.08.12 | – |
VBA32 | 3.12.2.2 | 2007.08.11 | – |
VirusBuster | 4.3.26:9 | 2007.08.12 | – |
Webwasher-Gateway | 6.0.1 | 2007.08.12 | – |
eSafe | 7.0.15.0 | 2007.08.10 | – |
eTrust-Vet | 31.1.5050 | 2007.08.11 | – |
Additional information | |||
File size: | 16004 bytes | ||
MD5: | 61b8388cb718f5888f63e506707cf58f | ||
SHA1: | d57434e6f782fcb59dba0160af404a0455848cd4 |
Tips and tricks:
- Deprecated! See the command line options on how to redirect the output. You should always redirect the output to a logfile. Status messages are not influenced by the redirection because they are written to the standard error console.
- You should use the -v option, unless you are very patient, because scanning of the files can take a long time.
- If you need to use a proxy, you can set this from the environment variables by doing
export http_proxy=http://localhost:8080/
under Linux or the equivalentset http_proxy=http://localhost:8080/
under Windows
Warning: this uploader is based undocumented interfaces in VirusTotal. Although I have their permission to create this software, there is no express guarantee on their part that the interfaces will remain the same. In case they change, this script may (and most probably will) break and I can’t make any guarantees on the time it will take me to repair it. Please see the official methods for sending files to have a guaranteed delivery.
Update: added long option, the possibility to directly specify the file where the output should be saved and a summary which gives the detection count both as raw numbers and as percentage.
PS. Here are some alternative services in the same venue, if VT is unavailable for some reason:
- virusscan.jotti.org – similar, but sadly it’s almost constantly at peak utilization, and because of this, rather slow
- VirScan.org – a new service from China (I think) with some broken English here and there, but seems to work fine (I also like the fact that archives can be submitted)
- scanner.virus.org – with a spartan interface and slightly outdated virus definitons sometimes
Update: this script has been update and renamed to OVScan. Please use the new version.
5 responses to “Unofficial VirusTotal uploader”
Hi Cd-MaN
This is a very useful script !!
Thank you very much for shared it…
I just tested it with samples from http://blog.untangle.com/?p=96
http://virus.untangle.com/
Your script worked perfectly
BTW these results are here
http://vrac.uggy.org/results-vtuploader-virus-untangle-com
(And I blogged in french about your script on http://blog.uggy.org )
Thank you again..
Great script 🙂
a great thanks by myself as well! 😉
Here’s a diff in case you want to use SSL for the upload:
311c311
< my $file_upload_request = POST 'http://www.virustotal.com/vt/en/recepcionf',
—
> my $file_upload_request = POST ‘https://www.virustotal.com/vt/en/recepcion’,
314c314,315
< 'distribuir' => $distribute
—
> ‘distribuir’ => $distribute,
> ‘envioseguro’ => 1
341d341
<
343c343
< unless ($response->header(‘Location’) =~ /?([a-f0-9]+)$/i);
—
> unless ($response->header(‘location’) =~ /?([a-f0-9]+)$/i);
it’s changed from /vt/en/recepcionf to /vt/en/recepcion now
This is great. One problem. VT recently made a change on their site. I think that kills this pl if the file has been examined before. Can you help with a mod? If the file has been looked at before, VT throws up a screen asking if you want to re-analyze or view the previous analysis…