Hi,

i saw this behavior if the used user for the registered executable is not allowed to "run as a Batch Job".

- Python27.exe was executed

- Python27 crashed

- Therefore no LOG file

- In this case there is no error in the EPO GUI visible.

Check your Windows LOGs if there is any Trouble with the python27.exe.

Cheers

Any update on

Sean Slattery     Aug 25, 2015 10:22 PM  (in response to JL Denis)      

Has this been tested with ePO 5.3? I'm seeing different variables {listOfAgentGUID} and {listOfTargetFileName} in lieu of the suggested {agentGUID} and {targetFileName} used in the Automated Response wizard.

Also please confirm in convicter.py file, if the username, password and VT API key values should be enclosed in double quotes "" and if the server IP address and port should be enclosed in single quotes ''.

Across four different ePO 5.3 systems, I am seeing the response trigger in the ePO server event log and email alerts, but no Python log.txt file created or increase in the VT API usage counters.

Thank you in advance.

I also would like to see official support for the VT Convicter. But as for a VT license, I don't see that working because the VT API key is licensed based upon lookup rate. Every organization will have different lookup rates regardless of size or number of TIE licenses.

Hi ,

i think there will not be any support for the VT Convicter Script. It is an example how Python can be used to add 3rd Party Information to TIE. So feel free to change the script, add functionality or other sources.

We designed a service for customers to query our server. This server queries other "information repositories" additional to VT. Also the customer is able wo weight any AV vendor. All this information is than used to calculate a reputation score. 🙂

VT: Yes, if you want to query more than 4 hashes per minute you need another VT license. We also covered this with our VT service.

Cheers

Hi,

Any way I can query files with "unknown" reputation? The ones that don't trigger the TIE rules? Right now it seems you're limited only to files which generate threat events...

Thanks,

George

The "Automatic Response" is based on an event received from the client, so unfortunately, if there's no event, we cannot trigger a lookup to VT.

Regards,

JL Denis

Hi,

you can do the following.

- Set tie TIE Module to Observation Mode.

- Block any file which is unknown.

Now for any unknown executed file a TIE/Suspect Event is generated and you can query virustotal.

But, this should only be used on specific clients.

Cheers