VirusTotal Integration
T
Thomas Spanos
I informed that Virustotal integration stopped and now the threat operations teams review the binaries manually. I liked the VT scoring and I think that an automatic check and verification, even as a first step is mandatory. Especially for Endpoints that have a third-party AV or are incompatible with the Managed AV.
Patrick Sofo [Security Product Manager]
Hi Thomas, binaries at Huntress are still enriched automatically through paid-for intelligence services, such as Reversing Labs. ThreatOps Analysts also still leverage VirusTotal scores for added context during the course of binary investigations. The only change that we made was to remove the Pos/Total hit count from the Portal UI due to VirusTotal licensing agreements.
M
Martin Twerski
Patrick Sofo [Security Product Manager]: Can we add a section for a MSP to provide their own VT API key and restore the UI in that case?
Patrick Sofo [Security Product Manager]
Martin Twerski: Thanks for the input! Feel free to add that as a seperate feature request so it does not get lost in this thread. This is probably not a top priority for us atm but i want to make sure we are tracking the feature request + its intended use.
M
Martin Twerski
Patrick Sofo [Security Product Manager]: Feels like it fits in this request, but I will let Thomas Spanos decide if he wants to modify his request to include this.
M
Maxwell'la Lehner'la
Martin Twerski: this is a pretty good idea. I just wrote up something in Rust to query the VT API, something to supplement the data
T
Thomas Spanos
Martin Twerski: It's fine with me but I cannot modify the content in the initial request. Anyway, for me the Binaries page now has no meaning. There is no information to look for at first sight without the Virustotal Score. I don't think that anyone can remember specific SHAs and then manually open the VT details to confirm the score of a suspicious one. So, I suggest putting either useful information or to just remove this page and leave only the alert for any malicious findings.
M
Martin Twerski
Patrick Sofo [Security Product Manager] maybe we could just have a hyperlink on the page that links the VT page? I.e. just a link "check with VirusTotal" that hyperlinks https://www.virustotal.com/gui/file/<sha256here> or whatever url it is.
Patrick Sofo [Security Product Manager]
Martin Twerski: Hi Martin we do have a link to the VT on this page. See screenshot below.
And I don't disagree Thomas Spanos that we could be doing more with this page. The main persona it was originally built for was our internal analyst user to get a sense of where else we have seen the binary in the Huntress ecosystem.
I'll take your feedback back to the rest of the product team and we can see what we can do in time to make this page more interesting to partners. Thank you!
M
Martin Twerski
Patrick Sofo [Security Product Manager]: Ah, that's great. Still think allowing us to supply our own API key is valid, but since this request can't be modified I'll have to submit a new one for that.