Integrate Virustotal.com API for scanning

Generally speaking, this idea is nice. However, just a few thoughts:

(1) 4 API calls/minute won't suffice even for moderately sized installations. When the time has finally come, we may contact the VT team for accessing the "private API" (see https://www.virustotal.com/en/faq/#difference-private-api)

(2) Entire files uploaded to VT may not be private anymore. I have uploaded files to VT during penetration tests, including files containing code to back-connect to my host if executed; if you do this, you'll going to experience dozens of back-connects even days after uploading, from IPs all around the world - that's hardly what I would like to see in sensitive/corporate/etc attachments. Non-geeks still don't use crypto these days.

Hello Erik,

thank you very much for your suggestions.

Yep, the lack of private file submission and back-connects at virustotal are definitely a negative aspect.

Another alternative that came to my mind is AV Comparatives (www.av-comparatives.org) a Innsbruck based NPO. As far as I know their sample db is much larger compared to Virustotal, but they are not providing a public api yet. They are mostelikely will not going to provide a scan api, but even a hash check api for their system would be more than enough. They actually do share samples and signatures with all big av vendors and therefore always have fresh signatures and hashes of most recent in the wild stuff.

I've actually had some mail exchange with the guys at AVC some weeks ago in order to schedule a visit at their labs. I'm going to ask them whether they would be willing to offer a public api access somewhen (or maybe just private for our project).

In between we should really start a discucss about malware in mail exchange in general nowadays, since dropping all kinds of executable binaries, libraries and scripts by default is common practice now - thanks to amavis...

qr'.\(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|ops|pcd|pif|prg|reg|scr|sct|shb|shs|swf|vb|vbe|vbs|wmf|wsc|wsf|wsh)$'ix, # banned ext

What security issues we have to deal with?

- Possibly weak applications and exposed vulnerabilities (PDF, MS Office, everything related to windows...)
---> Local AV scanner / VT

- Malformed MIME headers and exploits, possible attack vectors on local mail clients
---> Amavis , Regex'in

- Embedded url's in mail body which lead to malicious content such as infected binaries, exploit kits, phising pages
---> Amavis, Regex'in, VT url submission, phishtank.com for phising url's, maybea also Anubis

- Password protected archives possibily containing malicious binaries
----> Amavis + there should be an option in the GUI to quarantine them by default