Virustotal analyzer showing - Report not found.

TheHive-Project / Cortex-Analyzers

Cortex Analyzers Repository

https://TheHive-Project.github.io/Cortex-Analyzers/

GNU Affero General Public License v3.0

433 stars 374 forks source link

Virustotal analyzer showing - Report not found. #1143

Open SAIKATDASGITHUB opened 1 year ago

SAIKATDASGITHUB commented 1 year ago

Question	Answer
OS version (server)	Ubuntu
OS version (client)	Windows 10
Cortex Analyzer Name	VirusTotal
Cortex Analyzer Version	3.1
Cortex Version	3.1.7-1
Browser type & version	Chrome

Description

In Cortex when we are running a new analysis with Virustotal Getreport 3.1 we are not getting the report. Other analyzers - OTX Query, EML Parser 2.1 running perfectly. We are using a premium Virustotal key and behind a proxy. Analyzer Settings: polling_interval - 1 rescan_hash_older_than_days - 30 highlighted_antivirus - Empty download_sample - False download_sample_if_highlighted - False Enable TLP check - False Enable PAP check - False CA Certs - Empty Job cache - 10 Job timeout - 30 Extract observables - False Rate Limiting - Empty

Steps to Reproduce

In Cortex click New Analysis Add IP, URL and select Virustotal Get report 3.1 and run the analysis

Complementary information

jeromeleonard commented 1 year ago

Hello, this is working here. Could you check you are using the last version of the code or the last image of the analyzer ?

SAIKATDASGITHUB commented 1 year ago

Hi @jeromeleonard

Thanks for your response. We have replaced the virustotal.py file with the latest file available in Github and it is now working.

However the scan result is not always same. One moment we get the result and one moment it shows error. The error is not constant. For this URL one moment it is showing Not found error and one moment it shows actual result.

SAIKATDASGITHUB commented 1 year ago

After few tries here is the result for the same URL. We noticed this happens when we try to scan multiple URLs through API. Here TheHive parses the email using Cortex EML parser and add URLs as observables. When the email contains many URLs then many URLs are added as observables. Using TheHive execute analyzer when we try to analyze the URLs with Cortex Virustotal then it scans the first URL and for other URLs it shows error. We noticed if the error starts then it stays for both API and direct analysis from Cortex for the same URL. If we scan a complete new URL then it shows correct result.

SAIKATDASGITHUB commented 1 year ago

Hi @To-om @jeromeleonard

Is there any way that we can scan all URLs simultaneously? We feel the error is coming because TheHive is sending all the URLs to Cortex Virustotal analyzer together. We have noticed if the email has 8URLs and after TheHive sends the URLs as observables to Cortex Virustotal then Virustotal scans the first URL and for all other URL it shows NotFoundError. If we scan those failed URLs directly in Cortex then we get the result.

jeromeleonard commented 1 year ago

hello @SAIKATDASGITHUB,

this behaviour could be due to the limitations coming with the VT API. Are u using a premium account for VT or a basic one ? with the basic one, you have limitations with # and frequency of requests.