Integrate Virustotal.com API for scanning
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Open AS Communication Gateway |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Basically the idea is to integrate the virustotal.com API as a optional module into the final release.
This will not be a replacement for a local scanning engine, but in fact it could give good or even better scantime results for known viruses and threats. Imagine if VT already has a scan of a particular file archived, at the most it just takes a few seconds to query a files hash via the api - where scanning (and even unpacking) on the local hardware would be a bit more time consuming.
There should be different modes and configuration options available, for example:
1) Hash scanning: generates a hash of every incoming attachment and check if the file is already known at VT or not
2) Hash + File scanning: same as 1) and if the hash is not already known upload file to VT for scanning (slower but pretty good scan results)
Currently the virustotal public api is officially limited to 4 api requests per minute.
Related documents and information:
https:/
https:/
http://
Changed in open-as-cgw: | |
importance: | Undecided → Wishlist |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in open-as-cgw: | |
status: | New → Won't Fix |
Generally speaking, this idea is nice. However, just a few thoughts:
(1) 4 API calls/minute won't suffice even for moderately sized installations. When the time has finally come, we may contact the VT team for accessing the "private API" (see https:/ /www.virustotal .com/en/ faq/#difference -private- api)
(2) Entire files uploaded to VT may not be private anymore. I have uploaded files to VT during penetration tests, including files containing code to back-connect to my host if executed; if you do this, you'll going to experience dozens of back-connects even days after uploading, from IPs all around the world - that's hardly what I would like to see in sensitive/ corporate/ etc attachments. Non-geeks still don't use crypto these days.