cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 1 of 53

Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

NB: This is a free tool and it is not supported by McAfee / Intel Security.

What is it?

A python script used to convict files automatically based on VirusTotal results.

How does it work?

When a file is executed on an endpoint with the TIE/DXL modules, a determination on the reputation is established. An event is generated and sent to ePO, based on that, we launch an "Automatic Response" that will execute a python script that will query VirusTotal for the SHA1 hash of the file in question. Based on the results (ie. number of vendors that found the file malicious) and do any of the major vendors find this file malicious (Trend, Symantec, Sophos, Kaspersky), the reputation of the file is changed and, because the change of reputation is sent thru the DXL, the file is removed from the endpoint. Also, if the file was running at the time, the process is killed. An "Issue" is also created in ePO with the details on the file (name, hash, percentage of vendors that found the file malicious etc.)

Things to know about VirusTotal

In order to use this script, you need to get an API key. Note that the "free" API limits you to 4 requests per minute. If you need more, you would need to purchase a Private API from them. Contact them for prices.

How to install

  • Download the "Python Remote Client" from the Software Manager in ePO.

1.png

  • Extract it and copy the folder "Python27" in the c: drive of the ePO server.
  • Copy "convicter.py" (found below) in that folder. You need to enter the ePO admin/password and your API key in the the script. Look for "Fill these in".
  • Register "c:\python27\python.exe" as a "Registered Executables". NB: You have to do this on the ePO server itself or else the option is grayed out. This is for security reasons.

2.png

  • Create an "Automatic Response" as follows and choose to "Trigger this response on every event":

5.png

  • You can choose the appropriate group or subgroup that is pertinent to you.

4.png

3.png

  • Make sure that {targetFileName} in enclosed in "". This is to ensure that filenames with path and space will be handled correctly (ie. c:\program files\directory 1\filename.exe)
  • 40 represents the percent you would want to convict at, given the VirusTotal results. This is the "Detection Ratio" on VirusTotal.
    • For example, the VirusTotal percent below would be %43.86(25/57), which is higher then the 40 specified in the arguments, so this part would be true.
    • Minimum value is 1 maximum is 100.
  • 2 represents the number of major AV vendors (Trend, Symantec, Sophos, Kaspersky) that would have to detect this file also in order to change the file's reputation.
    • minimum value is 0 and maximum is 4
  • Both arguments have to be true (equal or higher) in order for the file reputation change to occur. So if 3 major AV vendors found the sample to be malicious and you had set the threshold to 2, then it would considered to be true.

6.png

  • An "Issue" is also created in ePO to see the action taken (or not) on files. There's also a "log.txt" file created in the python directory on the ePO server.

7.png

Things to know about Convicter

  • Only works if there's an event generated by TIE and sent to ePO, otherwise, the "Automatic Responses" cannot by triggered.
    • The best way to do this is to "prompt" the user on what to do when an "Unknown" file is executed. This is under the "TIE Module for VSE" policy under "End User Prompting". This however is not the default configuration.
  • Have done some testing (with version 1.0 of TIE/DXL) on it with different scenarios/files but please report bugs/others here so I can correct them.
    • The testing was done in my small environment, so, given the limitation of the "free" VirusTotal API (4 requests per minute), your mileage may vary. Good to keep that in mid.
  • If errors occurs or the script does not appear to be working, please look at the "log.txt" file in the "c:\python27" directory. It will give you information on what went wrong (ie not enough arguments, arguments out of range, VirusTotal not reachable etc..).

Video

Quick video to demo it.


Have fun.

Regards,

JL Denis

52 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

,

             Quite interesting, thank you for the information. It would be nice if we had something similar for the Consumer side of the Equation.

Regards,

Catdaddy

McAfee Community Moderator

Consumer Products

Cliff
McAfee Volunteer
McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 3 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

1.0.1 - Updated script to include variables for ePO IP address and port.

1.0.2 - Updated script to sort the last occurence of a detection and fixed the display of text in "Issues".

1.0.3 - Updated script to fix an issue with files that had a "Known Malicious", "Known Clean" and "Known Clean Updater" reputation.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 4 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

what is the easiest way to test?? Is it possible to set a file as "might be malicious"?

I´m aksing, because my question is, how can i test the configuration without executing any malware?

The script is not working in my environment.

1) i see the threat event from my endpoint.

TIE_1.PNG

2) Automatic Response is triggered (server task log)

TIE_2.PNG

3) File is listed under Tie Reputations

TIE_3.PNG
The virustoal query is working fine. Changing the reputation level to block a file on the endpoint works fine.

4) Changed the values in the automatic response to a minimum.

TIE_4.PNG
tested with several different values. The tested file is know by virustotal.

My problem is:

There is no issue generated in EPO

The Comment is not added to the file under TIE Reputation

My Test Environment

EPO 5.1.1 with HF1 and Hotfixes

Agent 5.0

DXL 1.0.1.152

TIE 1.0.1.150

Do you have any idea?

Cheers

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 5 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Additional testing: Did a wireshark trace. I see no request to internet.

Cheers

McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 6 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

You should have a "log.txt" in your Python27 directory, do you see any errors? Also, i just posted a new version (1.0.3) to fix another issue, you might want to try that one,

Also, the easiest way to safely test it is with the "Artemis-High.exe" test files located here [Green] https://mcafee.box.com/s/60jmaj44ljgqmf6wcang and posted by my collegue Sven Welschen.

Typically, you will have the Artemis level set to "Medium" so it will not be triggered by VSE.

Let me know how it works out for you.

Regards,

JL

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 7 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Oh noooooo, what a shame! *lol*
Wrong password in the registered executable registration!!!!! Now it works, it works great!

For testing i disabled Artemis and removed any Signature from the Repository. This means, VSE uses the DATs from its installation package. We are testing in this way, because ATD is available and configured. This shows us how powerful ATD is.
Additional to the ATD reputation we added convicter script to this EPO environment.

From my side, one of the top benefits is, any file hash is queried to TIE. If you do not use TIE, VSE does not always triggers an GTI request. If a bad file is somewhere located on the disk, GTI is not queried. If you copy this file to the system32 folder GTI will be queried. We opened a service request, because customer was wondering why a known file was not removed.

This disadvantage is resolved with TIE/DXL.

At the moment we are testing with real Malware, what happens with different McAfee products installed. HIPS, Application Control and so on. Also remote infections. We added McAfee Raptor to the testing environment.

BUT, this script, to connectivity to virustotal is real cool!

Best,

Thorsten

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Great work!

Will this process supersede/replace existing enterprise reputations?

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 9 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

yes, this is the main goal of the convicter script. At the moment there is only one "field" where an administrator can change the reputation manually. This is the Enterprise Reputation Field.

The script changes this value, adds an issue and an information to the file in "TIE reputations". You can change the script in which way the reputation should be changed. This means setting the value to "might be malicious" only to block a file, not to remove it.

Let´s see which 3rd party information will be added in the future.

Cheers

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 10 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

sometimes it is useful or necessary to use a proxy system. I changed the script using my MWG to connect to virustotal.com

def Connect_to_VirusTotal(sha1):

proxy = urllib2.ProxyHandler({'http': '10.x.x.x:9090', 'https': '10.x.x.x:9090'})

opener = urllib2.build_opener(proxy)

urllib2.install_opener(opener)

url = "https://www.virustotal.com/vtapi/v2/file/report" # Set the URL to query VirusTotal

parameters = {"resource": sha1, "apikey": VT_API_Key}

data = urllib.urlencode(parameters)

req = urllib2.Request(url, data)

response = urllib2.urlopen(req)

report = response.read()

Results_VT = json.loads(report)  

Just add the red lines.

Cheers

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community