ArchLinuxにVirusTotal/c-vtapiをインストールする

前回に引き続き、今更ながら備忘録としてVirusTotal/c-vtapiのインストール手順を簡単にまとめます(と言っても、READMEに書いてあることを実行するだけです)。

How-to

Runtime Dependencies

curl or libcurl (curl-devel package on some distributions)
janson version 2.2 (min) (2.5 or newer recommeded. janson-devel on some distros)

Compiling Dependencies

automake, autoconf (might be autotools package on your platform)
gcc
libtool

via c-vtapi/README.md at master · VirusTotal/c-vtapi · GitHub

  • 必要なパッケージをインストールする。
# pacman -S jansson curl automake  autoconf gcc libtool --noconfirm 
  • リポジトリをcloneする。
# cd /opt/
# git clone https://github.com/VirusTotal/c-vtapi.git
Cloning into 'c-vtapi'...
remote: Counting objects: 735, done.
remote: Total 735 (delta 0), reused 0 (delta 0), pack-reused 735
Receiving objects: 100% (735/735), 209.20 KiB | 622.00 KiB/s, done.
Resolving deltas: 100% (486/486), done.
# cd c-vtapi/
# ls
AUTHORS  CONTRIBUTORS  COPYING  ChangeLog  Doxyfile.in  Makefile.am  NEWS  README  README.md  aminclude.am  c-vtapi.pro  configure.ac  examples  lib  m4
  • コンパイルします。
# autoreconf -fi
# ls
AUTHORS       ChangeLog    Makefile.am  README      aminclude.am    c-vtapi.pro          config.guess  configure.ac  install-sh  m4
CONTRIBUTORS  Doxyfile.in  Makefile.in  README.md   ar-lib          c-vtapi_config.h.in  config.sub    depcomp       lib         missing
COPYING       INSTALL      NEWS         aclocal.m4  autom4te.cache  compile              configure     examples      ltmain.sh
# ./configure
# make
# make install
# ls
AUTHORS       Doxyfile     Makefile.am  README.md     autom4te.cache       compile        config.sub    examples    ltmain.sh
CONTRIBUTORS  Doxyfile.in  Makefile.in  aclocal.m4    c-vtapi.pro          config.guess   configure     install-sh  m4
COPYING       INSTALL      NEWS         aminclude.am  c-vtapi_config.h     config.log     configure.ac  lib         missing
ChangeLog     Makefile     README       ar-lib        c-vtapi_config.h.in  config.status  depcomp       libtool     stamp-h1
  • examplesディレクトリもコンパイルします。
# autoreconf -fi
# ./configure --enable-examples
# make
# make install
# ls
AUTHORS       Doxyfile     Makefile.am  README.md     autom4te.cache       c-vtapi_config.h.in~  config.status  depcomp        lib        missing
CONTRIBUTORS  Doxyfile.in  Makefile.in  aclocal.m4    c-vtapi.pro          compile               config.sub     example_progs  libtool    stamp-h1
COPYING       INSTALL      NEWS         aminclude.am  c-vtapi_config.h     config.guess          configure      examples       ltmain.sh
ChangeLog     Makefile     README       ar-lib        c-vtapi_config.h.in  config.log            configure.ac   install-sh     m4
# cd example_progs/
# ls
comments  domain_report  file_dist  ip_report  scan  search  url  url_dist

My API Keyの取得

手順は省略します。下記をご参照ください。

SCAN

  • cowrie内にダウンロードされたファイルをVirusToalにアップロードしてみます。
# cd example_progs/
# ./scan --apikey <My API Key> --filescan /home/cowrie/cowrie/dl/05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8
 apikey: <My API Key>
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/2762
progress_callback 0/2762
progress_callback 0/2762
progress_callback 2762/2762
progress_callback 2762/2762
progress_callback 2762/2762
progress_callback 2762/2762
progress_callback 2762/2762
progress_callback 2762/2762
progress_callback 2762/2762
progress_callback 2762/2762
Response:
{
    "scan_id": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8-1522329568",
    "sha1": "692e7dd86b8c6cce57cca220bcaa2b9cd80bb9a3",
    "resource": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
    "response_code": 1,
    "sha256": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
    "permalink": "https://www.virustotal.com/file/05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8/analysis/1522329568/",
    "md5": "859f5a1e2713594d670888852dd15123",
    "verbose_msg": "Scan request successfully queued, come back later for the report"
}
  • アップロードしたファイルの分析結果を確認します。
# ./scan --apikey <My API Key> --report 05326fcb029bfffdf25c19c7efc709ae23fa 34ba991d7c67eb4771705cabd1d8
 apikey: <My API Key>
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/0
progress_callback 0/366
progress_callback 0/366
progress_callback 0/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
progress_callback 366/366
Response:
{
    "scans": {
        "Bkav": {
            "detected": false,
            "version": "1.3.0.9466",
            "result": null,
            "update": "20180329"
        },
        "TotalDefense": {
            "detected": false,
            "version": "37.1.62.1",
            "result": null,
            "update": "20180329"
        },
        "MicroWorld-eScan": {
            "detected": false,
            "version": "14.0.297.0",
            "result": null,
            "update": "20180329"
        },
        "nProtect": {
            "detected": false,
            "version": "2018-03-29.02",
            "result": null,
            "update": "20180329"
        },
        "CMC": {
            "detected": false,
            "version": "1.1.0.977",
            "result": null,
            "update": "20180329"
        },
        "CAT-QuickHeal": {
            "detected": false,
            "version": "14.00",
            "result": null,
            "update": "20180329"
        },
        "McAfee": {
            "detected": false,
            "version": "6.0.6.653",
            "result": null,
            "update": "20180329"
        },
        "Malwarebytes": {
            "detected": false,
            "version": "2.1.1.1115",
            "result": null,
            "update": "20180329"
        },
        "Zillya": {
            "detected": false,
            "version": "2.0.0.3523",
            "result": null,
            "update": "20180328"
        },
        "SUPERAntiSpyware": {
            "detected": false,
            "version": "5.6.0.1032",
            "result": null,
            "update": "20180329"
        },
        "TheHacker": {
            "detected": false,
            "version": "6.8.0.5.2585",
            "result": null,
            "update": "20180327"
        },
        "K7GW": {
            "detected": false,
            "version": "10.43.26646",
            "result": null,
            "update": "20180329"
        },
        "K7AntiVirus": {
            "detected": false,
            "version": "10.43.26650",
            "result": null,
            "update": "20180329"
        },
        "Baidu": {
            "detected": false,
            "version": "1.0.0.2",
            "result": null,
            "update": "20180329"
        },
        "F-Prot": {
            "detected": false,
            "version": "4.7.1.166",
            "result": null,
            "update": "20180329"
        },
        "Symantec": {
            "detected": false,
            "version": "1.5.0.0",
            "result": null,
            "update": "20180329"
        },
        "ESET-NOD32": {
            "detected": false,
            "version": "17136",
            "result": null,
            "update": "20180329"
        },
        "TrendMicro-HouseCall": {
            "detected": false,
            "version": "9.950.0.1006",
            "result": null,
            "update": "20180329"
        },
        "Avast": {
            "detected": true,
            "version": "18.2.3827.0",
            "result": "BV:Downloader-KB [Drp]",
            "update": "20180329"
        },
        "ClamAV": {
            "detected": false,
            "version": "0.99.2.0",
            "result": null,
            "update": "20180329"
        },
        "Kaspersky": {
            "detected": false,
            "version": "15.0.1.13",
            "result": null,
            "update": "20180329"
        },
        "BitDefender": {
            "detected": false,
            "version": "7.2",
            "result": null,
            "update": "20180329"
        },
        "NANO-Antivirus": {
            "detected": true,
            "version": "1.0.100.22043",
            "result": "Trojan.Script.Agent.ekbkzw",
            "update": "20180329"
        },
        "ViRobot": {
            "detected": false,
            "version": "2014.3.20.0",
            "result": null,
            "update": "20180329"
        },
        "Tencent": {
            "detected": false,
            "version": "1.0.0.1",
            "result": null,
            "update": "20180329"
        },
        "Ad-Aware": {
            "detected": false,
            "version": "3.0.5.370",
            "result": null,
            "update": "20180329"
        },
        "Emsisoft": {
            "detected": false,
            "version": "4.0.2.899",
            "result": null,
            "update": "20180329"
        },
        "Comodo": {
            "detected": false,
            "version": "28766",
            "result": null,
            "update": "20180329"
        },
        "F-Secure": {
            "detected": false,
            "version": "11.0.19100.45",
            "result": null,
            "update": "20180322"
        },
        "DrWeb": {
            "detected": true,
            "version": "7.0.28.2020",
            "result": "Linux.DownLoader.320",
            "update": "20180329"
        },
        "VIPRE": {
            "detected": false,
            "version": "65608",
            "result": null,
            "update": "20180329"
        },
        "TrendMicro": {
            "detected": false,
            "version": "9.862.0.1074",
            "result": null,
            "update": "20180329"
        },
        "McAfee-GW-Edition": {
            "detected": false,
            "version": "v2015",
            "result": null,
            "update": "20180329"
        },
        "Sophos": {
            "detected": false,
            "version": "4.98.0",
            "result": null,
            "update": "20180329"
        },
        "Cyren": {
            "detected": false,
            "version": "5.4.30.7",
            "result": null,
            "update": "20180329"
        },
        "Jiangmin": {
            "detected": false,
            "version": "16.0.100",
            "result": null,
            "update": "20180329"
        },
        "Avira": {
            "detected": true,
            "version": "8.3.3.6",
            "result": "HTML/ExpKit.Gen2",
            "update": "20180329"
        },
        "Fortinet": {
            "detected": false,
            "version": "5.4.247.0",
            "result": null,
            "update": "20180329"
        },
        "Antiy-AVL": {
            "detected": false,
            "version": "3.0.0.1",
            "result": null,
            "update": "20180329"
        },
        "Kingsoft": {
            "detected": false,
            "version": "2013.8.14.323",
            "result": null,
            "update": "20180329"
        },
        "Arcabit": {
            "detected": false,
            "version": "1.0.0.831",
            "result": null,
            "update": "20180329"
        },
        "AegisLab": {
            "detected": false,
            "version": "4.2",
            "result": null,
            "update": "20180329"
        },
        "ZoneAlarm": {
            "detected": false,
            "version": "1.0",
            "result": null,
            "update": "20180329"
        },
        "Avast-Mobile": {
            "detected": false,
            "version": "180329-02",
            "result": null,
            "update": "20180329"
        },
        "Microsoft": {
            "detected": false,
            "version": "1.1.14600.4",
            "result": null,
            "update": "20180329"
        },
        "AhnLab-V3": {
            "detected": false,
            "version": "3.12.0.20130",
            "result": null,
            "update": "20180329"
        },
        "ALYac": {
            "detected": false,
            "version": "1.1.1.5",
            "result": null,
            "update": "20180329"
        },
        "AVware": {
            "detected": false,
            "version": "1.5.0.42",
            "result": null,
            "update": "20180329"
        },
        "MAX": {
            "detected": false,
            "version": "2017.11.15.1",
            "result": null,
            "update": "20180329"
        },
        "VBA32": {
            "detected": false,
            "version": "3.12.28.0",
            "result": null,
            "update": "20180329"
        },
        "WhiteArmor": {
            "detected": false,
            "version": null,
            "result": null,
            "update": "20180324"
        },
        "Zoner": {
            "detected": false,
            "version": "1.0",
            "result": null,
            "update": "20180329"
        },
        "Rising": {
            "detected": true,
            "version": "25.0.0.1",
            "result": "Trojan.Mirai!1.AD2B (CLASSIC)",
            "update": "20180329"
        },
        "Yandex": {
            "detected": false,
            "version": "5.5.1.3",
            "result": null,
            "update": "20180329"
        },
        "Ikarus": {
            "detected": false,
            "version": "0.1.5.2",
            "result": null,
            "update": "20180329"
        },
        "GData": {
            "detected": false,
            "version": "A:25.16543B:25.11907",
            "result": null,
            "update": "20180329"
        },
        "AVG": {
            "detected": true,
            "version": "18.2.3827.0",
            "result": "BV:Downloader-KB [Drp]",
            "update": "20180329"
        },
        "Panda": {
            "detected": false,
            "version": "4.6.4.2",
            "result": null,
            "update": "20180329"
        },
        "Qihoo-360": {
            "detected": false,
            "version": "1.0.0.1120",
            "result": null,
            "update": "20180329"
        }
    },
    "scan_id": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8-1522329568",
    "sha1": "692e7dd86b8c6cce57cca220bcaa2b9cd80bb9a3",
    "resource": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
    "response_code": 1,
    "scan_date": "2018-03-29 13:19:28",
    "permalink": "https://www.virustotal.com/file/05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8/analysis/1522329568/",
    "verbose_msg": "Scan finished, information embedded",
    "total": 59,
    "positives": 6,
    "sha256": "05326fcb029bfffdf25c19c7efc709ae23fa34ba991d7c67eb4771705cabd1d8",
    "md5": "859f5a1e2713594d670888852dd15123"
}
Msg: Scan finished, information embedded
response code: 1

Ref.

Env.

$ inxi -SM
System:    Host: pisces.blackle0pard.net Kernel: 4.15.12-1-ARCH x86_64 bits: 64 Console: tty 0
           Distro: Arch Linux
Machine:   Type: Kvm System: QEMU product: Standard PC (i440FX + PIIX, 1996) v: pc-i440fx-2.11 serial: N/A
           Mobo: N/A model: N/A serial: N/A BIOS: SeaBIOS v: rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org
           date: 04/01/2014
# git rev-parse HEAD
016f374fc356b643201149f890eaec6fb265e3d1