bot

bot copied to clipboard

Summary

This is a proposal to extend the AntiMalware cog to automatically submit file links and attachments to the VirusTotal API for testing.

https://developers.virustotal.com/reference/overview

The public API allows up to 500 requests per day, which, after excluding image links and possibly some additional whitelisted domains, would be fairly sufficient for use.

A new command could possibly also be implemented for directed scanning of URLs / file attachments.

Rationale

On more than a few occasions, members were able to post external links to actual malware files. In addition, the current file extension exclusion does not protect against binary text formats (such as .csv, which is also a binary format used by Microsoft Excel, and happens to also be a discord native preview format), possibly allowing remote deployment of malicious binaries without user-interaction.

I am available to work on a PR for this if approved.

I’ve never had good experiences with VT, I’ve always had it flag everything as safe. Is there a specific instance/site this is trying to protect against which can not be achieved with normal blacklists.

I think a few previous incidents involved Mediafire / custom file hosts. Which were removed after some users submitted virus total results. I'm not sure how much additional coverage there would be but it would at least offer some additional protection.

This would also address the binary/text dual format preview vulnerability, as discord CDN files offer a direct link that Virus Total is able to download and analyze.

The alternative is blacklisting the .csv file format, but that might do more harm than good given its prevalence in data science and normal usage.