[Bug] VirusTotal_GetReport does not work anymore

[Tux-Panik]

Describe the bug
Hi all,

I have TheHive & Cortex installed for months, using Docker:

• TheHive version is 3.3.0-1.
• Cortex version is 2.1.3-1.
  I use the latest version of the repository "Cortex-Analyzer", downloaded through Github and using git.
  The "Cortex-Analyzer" is properly declared in my Docker-Compose file to load and use analyzers/responders from the filesystem and not from the Docker.

Suddendly, and for about 3 weeks, the "VirusTotal_GetReport_3_0" doesn't work anymore in my server configuration.

Each job results to the following error message:
Invalid output Traceback (most recent call last): File "VirusTotal/virustotal.py", line 7, in <module> from virus_total_apis import PublicApi as VirusTotalPublicApi ImportError: No module named virus_total_apis

Complementary information

Work environment

• Client OS: Windows or Linux fail as well
• Server OS: CentOS 7 (TH & Cortex in Dockers)
• Browse type and version: FF 68.0.1
• Cortex version: 2.1.3-1
• Cortex Analyzer name: "VirusTotal_GetReport_3_0"
• Cortex Analyzer/Responder version: 3.0

Possible solutions

• I reviewed the file permissions ==> they were OK
• I reviewed the TLP/PAP limitations ==> they were OK
• I tried to delete then, to retrieve a fresh "Cortex-Analyzers" repository ==> no change
• I tried to remove my Cortex container and to retrieve a fresh one with the same Docker-Compose ==> no change
• I checked my integration platform and Analyzer & versions are the same but it works fine
• I tried to manually replace the "virustotal.py" content ==> no change

Additional context
At this stage, I don't understand why only this analyzer fails and what check I could perform to fix the issue.
Thanks for your help if you have any idea to move forward.

Kind regards,
Julien

[ITServ-DE]

Check you have the file virustotal_api.pyc in the directory of the analyzer.

You probably won't have it, but it used to be there. Not sure it was removed from the developers intentionally or by accident, however, it's good it's no longer there.

If the file is missing, reinstall VirusTotal API by running

pip install virustotal-api
pip3 install virustotal-api

[Tux-Panik]

Hi @github-pba

You are right... thanks for your answer!

The file is missing in my repo and no longer present in the VT folder in Github:
https://github.com/TheHive-Project/Cortex-Analyzers/tree/master/analyzers/VirusTotal

The deletion is perhaps due to a Python version. It occured on 14/May.

However, as jobs run into Docker containers, I'm not sure if I need to install the 'virustotal-api' into my server.

I copied it from my dev server and pasted into my main one, granting relevant permissions.
After refreshing the analyzers from Cortex, it doesn't work better!

I still continue to troubleshoot the issue.
Regards,

[ITServ-DE]

I'm not familiar with docker, so I do not know how the docker installation is done and if the docker container already has the required python modules.

I don't think so, because reading through the install docs tells me that the Analyzers are installed by cloning them from git. I don't think there is a cortex-analysers-container, but I might be wrong.

During the installation, you should execute

for I in $(find Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip2 install -r $I; done && \
for I in $(find Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip3 install -r $I || true; done

This would install the required python modules

Finally, all you have to do is to rerun these command to get virus_total_apis back.

[Tux-Panik]

Issue solved.

Used in a Docker environment, it seems not mandatory to installed the 'virustotal-api' module using pip.

Moreover, the error is definitively due to the missing file virustotal_api.py (without any "c" at the end) but, regarding the new analyzer version, it must be renammed to virus_total_apis.py.

In case of need, the missing file is attached.
virus_total_apis.zip

Thanks to @github-pba for putting me on the right direction!

Kind regards,
Julien

[Tux-Panik]

Hi,

After upgrading Cortex-Analyzers, I got a new error with "VirusTotal_GetReport_3_0" one.
Raised error was:
Invalid output Traceback (most recent call last): File "VirusTotal/virustotal.py", line 7, in <module> from virus_total_apis import PublicApi as VirusTotalPublicApi File "virus_total_apis.py", line 25, in <module> import StringIO ModuleNotFoundError: No module named 'StringIO'

To fix it, I edited the file "virus_total_apis.py" and I commented the line #25; which is now:
#import StringIO

Regards,

[garanews]

Are you running in docker?
If yes, are you using correct image (image: thehiveproject/cortex:3.0.1) ?

[Tux-Panik]

Yes I run a Docker with latest image.
Thanks.