VTReportObject Raising Error if Hash not Previously Seen

[kevin3567]

Hi, When querying for a VirusTotal Report with the line:

VTReportObject(apikey=vt_apikey, indicator=file_md5)

I have noticed that the if the indicator input (file_md5) has no matches found on VirusTotal, then the line will raise the exception:

pymisp.exceptions.InvalidMISPObject: [this is the file_md5 hash]: The requested resource is not among the finished, queued or pending scans

I am wondering:

1. Is it possible for the VTReportObject to nevertheless return some kind of report (stating that the indicator has no match on VirusTotal), such that my program does not break at that particular line due to the exception raised.

2. In the case that the file have nver been scanned by VirusTotal, is there a way to "upload" the file directly (as bytes?) through PyMISP for direct analysis by the vendor analyzers in VirusTotal?

Thanks

[Rafiot]

Hi,

PyMISP returns an exception there because there are no information available for that hash, and it is left to the user to decide what to do. In your case, I'd suggest to add a try/except clause on InvalidMISPObject and log the missing hashes if you want to do something about it later on. I do not want to add posting (and waiting until the report is done) directly in this class: it will cause the code to wait for potentially a very long time and is going to be very confusing.

My recommendation in your case is to log the missing hashes and have an other process submitting the binaries to VT. That process will be responsible to make sure the report is created, and manage the limitations of the API key on VT side (careful, it's easy to blow up your monthly quota). When this process confirms the report exists, re-trigger the creation of the VTReportObject.

[kevin3567]

Hi,

After further implementing a code to run VT for a folder of files (one report per file), I have noticed that for certain hash values, the VTReportObject will not generate even though VirusTotal already have already encountered the hash. For example, given the malware sha256 hash afa0fe45da4d59b0c737a1ab23972afb902438e4d1c782123fc91a513aae896d, I can find the a report on the webpage https://www.virustotal.com/gui/file/afa0fe45da4d59b0c737a1ab23972afb902438e4d1c782123fc91a513aae896d/detection.

However, when I try to generate a VTReportObject by

VTReportObject(apikey=vt_apikey, indicator="afa0fe45da4d59b0c737a1ab23972afb902438e4d1c782123fc91a513aae896d")

I receive the error:

{JSONDecodeError}Expecting value: line 1 column 1 (char 0) I have further noticed that this error is encountered intermittently, as sometimes, a proper report is generated. Nevertheless, about 80% of the time, I will encounter this error.

Thus I have the following questions:

1. What might be some causes of this intermittent error?
2. To ensure that the input argument is correct, what type of values should be given to the indicator for VTReportObject (such as md5, sha1, sha256 of the file)?
3. Is a time delay necessary when generating VT reports over multiple files? I have noticed when running VTReportObject with significant delay between each run, the chance of proper report generation increases.

[Rafiot]

1. The error is because you reached the threshold of requests/min: it is 4/min with a public API key (https://developers.virustotal.com/v3.0/reference). They return an empty response when you reach that threshold.
2. you can submit an URL, or a hash (md5, sha1, sha256)
3. you need to add a wait time of 60s after you to 4 requests. And be careful, you also ave a limit of 500 requests/day.