Configuring VirusTotal

VirusTotal is an online service that analyzes files and URLs to identify viruses, worms, trojans and other kinds of malicious content that is detected by antivirus engines and website scanners. You can use Connect to send data to the VirusTotal API and check for malware on your endpoints, and report the results to any connection destination.

If you did not configure VirusTotal connections in previous version of Connect, you cannot create a VirusTotal destination (VirusTotal source process) in Connect 4.1. If you do have a VirusTotal destination configured, we suggest that you move the destination to use the reputation service. For more information, see Configuring reputation data.

Overview

When configured, the Connect integration with VirusTotal:

  1. Gets hashes of interest from saved questions or other Tanium products.
  2. Sends the hashes to the VirusTotal API to see if those hashes are known malware.
  3. Sends notifications about the results of the VirusTotal API query with a connection destination. For example, you might send results to a log file, SIEM, or email.

To configure this integration, you use the reputation service and a connection. The reputation service uses the VirusTotal API to check the hashes. The connection takes the results of the VirusTotal API check and sends it to the specified connection destinations.

After a hash is processed on a connection, it does not get processed again, even if no filter is applied. If malware appears that matches the hash in a later run of the connection, it does not get checked again by Connect through VirusTotal.

If you want to repeatedly check for a hash that was found by VirusTotal, you can create a repeating IOC or YARA scan that contains the hash in Detect. For more information, see the Tanium Detect User Guide.

Prerequisites

  • To get hashes for processes or files, install Incident Response.
  • Configure VirusTotal as a Reputation Source in Connect. For more information, see VirusTotal.
  • (Optional) Define and save a question that has a hash as part of the answer.
    For example, if you are using Incident Response, the question: Get Running Processes with MD5 Hash from all machines is one common choice. Save the question so that it is listed in Connect when you create the connection to send data to the reputation service.

Send data to the reputation service

If you want to pre-populate reputation data with hashes from your environment, you can send data to the reputation service as a connection destination. When this content is pre-populated, the reputation service can start querying about the status of the items from the reputation sources.

  1. Create a new connection.
  2. For the source, choose a saved question that returns a hash, such as Get Running Processes with MD5 Hash from all machines.
  3. For the destination, choose reputation service and select the appropriate hash type for the Hash Field.

Each reputation service connection destination is configured for a specific hash column name. You must use a separate destination for each hash type that you are populating. For example, if you are populating both MD5 and SHA1 hashes from different saved questions, create two connection destinations with different values for the Hash Field field.

Create a connection to send results

The connection sends the results of the VirusTotal API query to one of the standard data targets. Although you can also create a reputation service source, the VirusTotal source provides enhanced reporting information. The enhanced reporting information is available only if you select Keep all reports on the Reputation Service settings page.

  1. On the Connect home page, click Create Connection > Create.
  2. Enter a name and description for your connection.
  3. In the Connection source section, choose VirusTotal API settings.
    1. Define VirusTotal output settings to filter which VirusTotal responses are reported.
      Table 1:   VirusTotal Output setting options
      ValueDescription
      AllAll VirusTotal responses are included.
      NegativeLists all files without evidence of threat or malware. Only items for which VirusTotal knows the file hash and none of the virus engines have reported it as a threat or malware are included.
      PositiveLists files that have been reported as a threat or malware. Only items for which VirusTotal knows the file hash, because the file been scanned, and one or more of the virus engines have reported the file as a threat or malware are included.
      Unknown

      Only items for which VirusTotal has not scanned the file are included. These items have no information about whether they are a threat.

    2. (Optional) If you had set the VirusTotal Output setting to Positive, you might want to set a Positive Threshold.
      This setting is an integer number of positive reports that must be on the hash to be considered a potential threat or malware.
      The likelihood that VirusTotal reports include false positive indicators is higher when the value is set lower.

      Example: If you set the value to 3, then three VirusTotal engines must report an item as malicious for the item to be sent to Connect.
      Setting the value to 0 disables the threshold. If any VirusTotal engine reports that item as malicious, the item is sent to Connect.
  4. In the Connection Destination section, choose a connection destination.
    For initial setup, you might write to a file or send to email so that you can easily confirm you are getting the results you expect from the VirusTotal lookup.
  5. (Optional) Choose the appropriate Filter options. For more information about filters, see Reference: Filtering options.
  6. Choose the format that you want to use for your output. For more information about formats, see Reference: Format types.
  7. Update the schedule: Use the Generate Cron tab to build a schedule based on some common time intervals. This tab generates a Cron expression.To view or edit the Cron expression directly, click the Edit Cron Expression tab.
  8. Click Create Connection.

Save and verify connection

  1. Click Create Connection > Create. When the connection gets created, your new connection displays in the list on the Connections page.
  2. To view details about when the connection is running, click the name of the connection. On the resulting connection details page, click the Runs tab.
  3. To view individual run logs, click the link in the Status column in the Runs table.

Last updated: 8/14/2018 1:34 PM | Feedback