Virustotal Integration

[GuillaumeRoss]

Goal

TODO VirusTotal can provide valuable information around files, especially files that get executed. VirusTotal has a FREE API (can't be used in commercial products) and a paid API. Through the paid API, you can search, but you can also submit files, which is useful if VirusTotal had not seem them before. These types of services typically have information for multiple indicator of compromise types (URL, Domain name, IP address, file hash, etc), but in this ticket we focus on files and file hashes.

VirusTotal also has a search interface on their website, which you can throw many different searches at.

There are other similar providers, like Opswat, other threat intelligence providers like ReversingLabs with similar data, so I believe we should take the approach where:

1. We could have basic VT integration in Fleet, without using the API (an easy way to go from a process list with sha256 to the VirusTotal search for it, for example). This would require no setup, no license, but has low value, you can do the same by installing the VT browser extension, and all you're saving is the time it takes to copy paste a single hash and hit search.
2. We should have a generic approach for integrating with external reputation services, and start with VirusTotal.

For #2, interesting features would be:

1. Ability to see reputation information directly for a column in a table. For example, selecting processes with a h.sha256 column, and the ability to tag that column for VirusTotal lookup (or joining results with a virtual VirusTotal table?)
2. Ability to build internal tables of files and caching, to create a policy checking any new executable with VirusTotal and alerting if the reputation is bad (configurable threshold).
3. With carving, ability to, IF DOUBLE OPTED IN (ie: the feature must first be enabled by an admin for an instance, and then, on each carve, specified to be performed), upload carved files to VirusTotal for analysis, and make results available. This could eventually allow (again, with very obvious opt-in) organizations to even enable auto-submission of new processes to VirusTotal.

If we decide to work on this, we should first define the complete UX of how people will use it both in the UI and at the API level.

[mikermcneil]

As a first step towards Option 1, let's do a video showing how you can go from building such a query (as a policy or a label) to looking at the results and pasting a hash into virustotal. That'll get us thinking about how to design it, and also immediately help people in the community make the connection that this is possible.

»» https://github.com/fleetdm/confidential/issues/4348