VirusTotal.com Integration

There are several areas of d7x which can query and upload files to VirusTotal.com.

Applicable areas are the d7x Examine File window, available either through d7x Shell Extensions for Windows Explorer, through either KillEmAll or KillEmAll GUI, or through d7x Malware Search Tool.  Additionally, KillEmAll (the new console edition) now has direct integration to query/upload files to VirusTotal.

Configuration:

This ability requires you to bring your own VirusTotal API key, learn how to obtain one here (you simply register for an account with the VirusTotal Community, and the key is then available in your newly registered account, find it from the drop-down menu under your username.)

Currently, there are TWO places you should enter your VirusTotal API key for all functionality:

1. Configure in d7x on the d7x Config > Admin tab (note this config location is subject to change in the future.)
2. Configure in KillEmAll by running it and pressing “C” for the configuration, and then enter your API key into the correct field at the bottom.  (A separate KillEmAll configuration was desired as this app can be run as a stand-alone product.)

How it works:

• VirusTotal is queried with the file hash to determine if the file has been uploaded/scanned previously.
• If the file has previously been scanned, the results are displayed immediately.
• If the file is unknown, it will be uploaded to VirusTotal at this time.
• When a file is uploaded, it will be queued for scan and it may take several minutes before the file is scanned, therefore d7x (and KillEmAll) will not wait on the results.
• In this case, you can simply use the VirusTotal functionality a second time (after a few minutes have elapsed) to retrieve the results.

What if I don’t enter an API key:

If you do not enter a VirusTotal API key, KillEmAll cannot query VirusTotal at all, and the d7x Examine File window will instead use Sysinternals sigcheck.exe for the initial VirusTotal query, but it will not upload if the file is unrecognized, and additionaly subsequent queries from the drop-down menu at the top of the d7x Example File prompt will not function without the API key.

Previously, the d7x Examine File prompt used Sysinternals sigcheck.exe for all VirusTotal queries, but that comes with some limitations and the result for whatever reason in some cases has not lined up with the actual VirusTotal result if you were to actually visit the website, and in other cases sigcheck has been known to fail in the process of obtaining the result.

With d7x and KillEmAll internal VirusTotal code and your own API key, the functionality is consistent, and the result is accurate.