GoogleCodeExporter
commented
9 years ago Using pyew-2.0-linux-amd64.tar.gz 1a390e2cc87d5d6c9a641be965059a4ae17e7ffeOriginal comment by he...@nerv.fi on 4 Dec 2011 at 10:59
Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Using pyew-2.0-linux-amd64.tar.gz 1a390e2cc87d5d6c9a641be965059a4ae17e7ffeOriginal comment by he...@nerv.fi on 4 Dec 2011 at 10:59
GoogleCodeExporter
commented
9 years ago Known behaviour but buggy. When no AV detects it there is not match. Thanks for
reporting, will be fixed.Original comment by joxean.p...@gmail.com on 4 Dec 2011 at 11:03
GoogleCodeExporter
commented
9 years ago Fixed in the repository.Original comment by joxean.p...@gmail.com on 13 Dec 2011 at 10:56
GoogleCodeExporter
commented
9 years ago Hi. I am installing pyew-2.0-linux on remnux3.0 to update the current installed
one,
to fix the VT plugin problem as per described in this bugfix #9.
I found the pyew-2.0-linux still contained the "#9 buggy" code, so I patched -
my /pyew-2.0-linux/plugins/virustotal.py with the repo version -
at:
http://code.google.com/p/pyew/source/browse/plugins/virustotal.py?r=e984a67f8cf1
a564b97187171c237da98ce5b255
Looks like the other problem occured, please kindly re-open this #9 issue.
Description:
i.e. if we scan "eicar.zip" it by "vt" command it will show like this:
---------------------code start-------------------------------
# /usr/local/pyew/pyew.py ./eicar.zip
:(snip)
0000 50 4B 03 04 0A 00 00 00 00 00 64 3B 5B 25 23 4B PK........d;[%#K
0010 8A 6C 46 00 00 00 46 00 00 00 09 00 00 00 65 69 .lF...F.......ei
0020 63 61 72 2E 63 6F 6D 58 35 4F 21 50 25 40 41 50 car.comX5O!P%@AP
:(snip)
[0x00000000]> vt
File ./eicar.zip with MD5 76428bb55327e8422aa57e09c7c30c06
----------------------------------------------------------
(( blank space only ))
[0x00000000]>q
---------------------code end-------------------------------
The problem was caused by the virustotal.py was coded according to the previous
VT format and url.
In VT recently there are 2(two) changings:
1. VT report format base was changing
2. VT report base url was changing
I used the sample URL pasted in this bug#9 below
previous url:
http://www.virustotal.com/file-scan/report.html?id=7897ce606aac0e8186a68909a51e84dd298a5e590e80235000128cf004ff0c2b-1323035150
new one:
https://www.virustotal.com/file/7897ce606aac0e8186a68909a51e84dd298a5e590e80235000128cf004ff0c2b/analysis/1323035150/
To fix the current problem. there are two option.
1. If I may to suggest, like the command "threat"which it parses -
the MD5 to the url to be opened by lynx.
We can do the same with VT with the format url is:
https://www.virustotal.com/file/[sample's SHA256]/analysis/
""""" """"""""""""""""""
2. The other option is to recode virustotal.py w/ the new format accordingly.
Please kindly consider to fix the vt command accordingly.
---
Hendrik ADRIAN | http://0day.jp | Twitter/VT/Google: @unixfreaxjp
PGP: RSA 2048/0xEC61AB9 AB91 BF89 F24B E57A 81B1 B93A 99CC B9AD 3D5B EC61 AB91
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB9AD3D5BEC61AB91Original comment by unixfrea...@gmail.com on 30 Apr 2012 at 7:16
GoogleCodeExporter
commented
9 years ago Hi,
Sorry, but I cannot reproduce it. Using the Mercurial version:
$ pyew testcases/issue#9/eicar.zip
0000 50 4B 03 04 0A 00 00 00 00 00 64 3B 5B 25 23 4B PK........d;[%#K
0010 8A 6C 46 00 00 00 46 00 00 00 09 00 00 00 65 69 .lF...F.......ei
0020 63 61 72 2E 63 6F 6D 58 35 4F 21 50 25 40 41 50 car.comX5O!P%@AP
0030 5B 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 [4.PZX54(P^)7CC)
0040 37 7D 24 45 49 43 41 52 2D 53 54 41 4E 44 41 52 7}$EICAR-STANDAR
0050 44 2D 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 D-ANTIVIRUS-TEST
0060 2D 46 49 4C 45 21 24 48 2B 48 2A 0D 0A 50 4B 01 -FILE!$H+H*..PK.
0070 02 14 00 0A 00 00 00 00 00 64 3B 5B 25 23 4B 8A .........d;[%#K.
0080 6C 46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 lF...F..........
0090 00 01 00 20 00 FF 81 00 00 00 00 65 69 63 61 72 ... .......eicar
00A0 2E 63 6F 6D 50 4B 05 06 00 00 00 00 01 00 01 00 .comPK..........
00B0 37 00 00 00 6D 00 00 00 00 00 7...m.....
[0x00000000]> vt
File testcases/issue#9/eicar.zip with MD5 76428bb55327e8422aa57e09c7c30c06
--------------------------------------------------------------------------
nProtect : EICAR-Test-File (not a virus)
CAT-QuickHeal : EICAR Test File
McAfee : EICAR test file
K7AntiVirus : EICAR_Test_File
TheHacker : EICAR_Test_File
VirusBuster : EICAR_test_file
NOD32 : Eicar test file
F-Prot : EICAR_Test_File
Symantec : EICAR Test String
Norman : EICAR_Test_file_not_a_virus!
TrendMicro-HouseCall : Eicar_test_file
Avast : EICAR Test-NOT virus!!!
eSafe : EICAR Test File
ClamAV : Eicar-Test-Signature
Kaspersky : EICAR-Test-File
BitDefender : EICAR-Test-File (not a virus)
ViRobot : EICAR-test
Sophos : EICAR-AV-Test
Comodo : Teststring.Eicar
F-Secure : EICAR_Test_File
DrWeb : EICAR Test File (NOT a Virus!)
VIPRE : EICAR (v)
AntiVir : Eicar-Test-Signature
TrendMicro : Eicar_test_file
McAfee-GW-Edition : EICAR test file
Emsisoft : EICAR-ANTIVIRUS-TESTFILE!IK
eTrust-Vet : the EICAR test string
Jiangmin : EICAR-Test-File
Antiy-AVL : AVTEST/EICAR.ETF
Microsoft : Virus:DOS/EICAR_Test_File
SUPERAntiSpyware : NotAThreat.EICAR[TestFile]
GData : EICAR-Test-File
Commtouch : EICAR_Test_File
AhnLab-V3 : EICAR_Test_File
VBA32 : EICAR-Test-File
Rising : EICAR-Test-File
Ikarus : EICAR-ANTIVIRUS-TESTFILE
Fortinet : EICAR_TEST_FILE
AVG : EICAR_Test
Panda : Eicar.Mod
Are you sure you're using the version from the Mercurial repository?
Original comment by joxean.p...@gmail.com on 30 Apr 2012 at 9:18
GoogleCodeExporter
commented
9 years ago Thank's for the kindly reply.
I am using your PYEW Project Download Page's Source.
pyew-2.0-linux-x86.tar.gz Pyew 2.0 Linux (x86) Featured
URL:
http://code.google.com/p/pyew/downloads/detail?name=pyew-2.0-linux-x86.tar.gz&ca
n=2&q=
For your conveniences here's the top dir file's hashes:
# md5sum * ./
MD5 FileName
---------------------------------------------------
9c4c26602e958ed9f685166bb54a0189 AUTHORS
a54997b15c6fce67fdbdd92300369251 batch_antidebug.py
fba4255b364155e75821bfe34a6fbb73 batch_example.py
cc5cadc527748d6fcdb3f7f2d17b7f27 ChangeLog
b95c40654121d554c2c09f29c2687f5b config.py
e0a6f3edc5bc5fff89768b665948ae87 config.pyc
751419260aa954499f7abaabaa882bbe COPYING
dcabd89ebe0ab8184413dccbe18728ee files.sqlite
6414b9d50c642d99bafdf3fe58394bf9 gcluster.py
751419260aa954499f7abaabaa882bbe LICENSE
6e88540887b6c03511ef587abbce6483 pdf_example.py
c6dd6bb7c429ed3d3445d057ed0a9a75 pefile.py
55162ad3c1e8b0f322c46ada736d3784 pefile.pyc
547eb38f2b2b91363cdf07cc859a9f70 peutils.py
ac44da1f4d8b44b06cefbec7312fc3a0 peutils.pyc
ba5fb01c1e126fb7a8f7636a01538169 pydistorm.py
1430a4fe559046356d1a7fd88cbd63f3 pydistorm.pyc
e0d6e495000129512a7a31e076c31bea pyew
9440bacc3a91aea1becb1ae244593373 pyew.bat
0828d98e378ae109f0d73a1e327814d7 pyew_core.py
8cb15c4b92f004d144b4036793e0b2cf pyew_core.pyc
1ee3f02f166aaa4205bbafc1a896a826 pyew.kpf
43eb0efab2216e3d0ef77886d50f6491 pyew.py
44d5f60c1520848c772efa3ae426f8cc safer_pickle.py
00a456f05e8f38979ce14398f2ac1e5e safer_pickle.pyc
PS: Please advise me from which url I can download the version from the
Mercurial repository? I tried to search it in http://mercurial.selenic.com/ but
couldn't find it, pls forgive my stupidity.
---
Hendrik ADRIAN | http://0day.jp | Twitter/VT/Google: @unixfreaxjp
PGP: RSA 2048/0xEC61AB9 AB91 BF89 F24B E57A 81B1 B93A 99CC B9AD 3D5B EC61 AB91
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB9AD3D5BEC61AB91Original comment by unixfrea...@gmail.com on 30 Apr 2012 at 1:02
GoogleCodeExporter
commented
9 years ago hg clone https://code.google.com/p/pyew/Original comment by he...@nerv.fi on 30 Apr 2012 at 1:20
GoogleCodeExporter
commented
9 years ago Thank's for the hint.
I learnt mercurial as fast as I can and updated my box's pyew.
I found the problem was solved in the mercurial repo's code.
Note:
$ apt-get install mercurial
$ hg clone https://code.google.com/p/pyew/
# pyew ./eicar.zip
0000 50 4B 03 04 0A 00 00 00 00 00 64 3B 5B 25 23 4B PK........d;[%#K
0010 8A 6C 46 00 00 00 46 00 00 00 09 00 00 00 65 69 .lF...F.......ei
0020 63 61 72 2E 63 6F 6D 58 35 4F 21 50 25 40 41 50 car.comX5O!P%@AP
0030 5B 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 [4.PZX54(P^)7CC)
:
(snip)
[0x00000000]> vt
File ./eicar.zip with MD5 76428bb55327e8422aa57e09c7c30c06
----------------------------------------------------------
nProtect : EICAR-Test-File (not a virus)
CAT-QuickHeal : EICAR Test File
McAfee : EICAR test file
TheHacker : EICAR_Test_File
K7AntiVirus : EICAR_Test_File
VirusBuster : EICAR_test_file
NOD32 : Eicar test file
F-Prot : EICAR_Test_File
Symantec : EICAR Test String
Norman : EICAR_Test_file_not_a_virus!
TrendMicro-HouseCall : Eicar_test_file
Avast : EICAR Test-NOT virus!!!
eSafe : EICAR Test File
:
:(SNIP)
---
Hendrik ADRIAN | http://0day.jp | Twitter/VT/Google: @unixfreaxjp
PGP: RSA 2048/0xEC61AB9 AB91 BF89 F24B E57A 81B1 B93A 99CC B9AD 3D5B EC61 AB91
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB9AD3D5BEC61AB91Original comment by unixfrea...@gmail.com on 30 Apr 2012 at 1:25
GoogleCodeExporter
commented
9 years ago In case the need of shell based vt scanning occurred.
I wrote this as workaround before I patched w/mercurial repo.
#!/bin/sh
#get path, hash & url
md5=`/usr/bin/md5sum $2 |awk '{ print $1 }'`
hash=`/usr/bin/sha256sum $2 |awk '{ print $1 }'`
search="https://www.virustotal.com/latest-scan/$hash"
sample=$2
#confirming path, hashes and url values..
echo "Sample: $sample\nMD5: $md5\nSHA256: $hash\nURL: $search\n"
#backtick the lynx
url=`lynx -dump $search`
echo "$url"
exit 0
---
Hendrik ADRIAN | http://0day.jp | Twitter/VT/Google: @unixfreaxjp
PGP: RSA 2048/0xEC61AB9 AB91 BF89 F24B E57A 81B1 B93A 99CC B9AD 3D5B EC61 AB91
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB9AD3D5BEC61AB91Original comment by unixfrea...@gmail.com on 30 Apr 2012 at 1:37
Original issue reported on code.google.com by
he...@nerv.fion 4 Dec 2011 at 9:55