Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Virustotal Scan returning incorrect taxonomy on URL scan #74

Closed
BrevilleBro opened this issue Jul 13, 2017 · 1 comment
Closed

Virustotal Scan returning incorrect taxonomy on URL scan #74

BrevilleBro opened this issue Jul 13, 2017 · 1 comment
Assignees
@jeromeleonard
Milestone
1.5.1

Comments

@BrevilleBro
Copy link

BrevilleBro commented Jul 13, 2017
edited
Loading

Virustotal Scan returning incorrect taxonomy on URL scan

Request Type

Bug

Work Environment

N/A

Question Answer
Cortex Analyzer Name VirusTotal
Cortex Analyzer Version 1.5.0
Cortex Version 11.3

Description

VirusTotal URL Scan analyzer returns 0 for taxonomy result, despite there being a positive result in the body of the JSON.

See sample JSON below where taxonomy returns 0, however, positives = 1 and Kaspersky is marked as "detected, phishing".

Steps to Reproduce

  1. Scan a URL using VirusTotal analyzer
  2. Check VirusTotal Scan taxonomy result
  3. Inconsistency between VirusTotal Scan JSON report and taxonomy result

Sample JSON

"full": {
    "permalink": "xxxxxxx",
    "resource": "xxxxxxx",
    "url": "xxxxxxxx",
    "response_code": 1,
    "scan_date": "xxxxxxx",
    "scan_id": "xxxxxx",
    "verbose_msg": "Scan finished, scan information embedded in this object",
    "filescan_id": null,
    "positives": 1,
    "total": 65,
    "scans": {
      "CLEAN MX": {
        "detected": false,
        "result": "clean site"
      },
      "VX Vault": {
        "detected": false,
        "result": "clean site"
      },
      "ZDB Zeus": {
        "detected": false,
        "result": "clean site"
      },
      "Tencent": {
        "detected": false,
        "result": "clean site"
      },
      "Netcraft": {
        "detected": false,
        "result": "unrated site"
      },
      "PhishLabs": {
        "detected": false,
        "result": "unrated site"
      },
      "Zerofox": {
        "detected": false,
        "result": "clean site"
      },
      "K7AntiVirus": {
        "detected": false,
        "result": "clean site"
      },
      "Virusdie External Site Scan": {
        "detected": false,
        "result": "clean site"
      },
      "Quttera": {
        "detected": false,
        "result": "clean site"
      },
      "AegisLab WebGuard": {
        "detected": false,
        "result": "clean site"
      },
      "MalwareDomainList": {
        "detected": false,
        "result": "clean site",
        "detail": "http://www.malwaredomainlist.com/mdl.php?search=xxxxxx"
      },
      "ZeusTracker": {
        "detected": false,
        "result": "clean site",
        "detail": "https://zeustracker.abuse.ch/monitor.php?host=xxxxxxx"
      },
      "zvelo": {
        "detected": false,
        "result": "clean site"
      },
      "Google Safebrowsing": {
        "detected": false,
        "result": "clean site"
      },
      "ParetoLogic": {
        "detected": false,
        "result": "clean site"
      },
      "Kaspersky": {
        "detected": true,
        "result": "phishing site"
      },
      "BitDefender": {
        "detected": false,
        "result": "clean site"
      },
      "Dr.Web": {
        "detected": false,
        "result": "clean site"
      },
      "Certly": {
        "detected": false,
        "result": "clean site"
      },
      "G-Data": {
        "detected": false,
        "result": "clean site"
      },
      "C-SIRT": {
        "detected": false,
        "result": "clean site"
      },
      "OpenPhish": {
        "detected": false,
        "result": "clean site"
      },
      "Websense ThreatSeeker": {
        "detected": false,
        "result": "unrated site"
      },
      "MalwarePatrol": {
        "detected": false,
        "result": "clean site"
      },
      "Webutation": {
        "detected": false,
        "result": "clean site"
      },
      "Trustwave": {
        "detected": false,
        "result": "clean site"
      },
      "Web Security Guard": {
        "detected": false,
        "result": "clean site"
      },
      "desenmascara.me": {
        "detected": false,
        "result": "clean site"
      },
      "ADMINUSLabs": {
        "detected": false,
        "result": "clean site"
      },
      "Malwarebytes hpHosts": {
        "detected": false,
        "result": "clean site"
      },
      "Opera": {
        "detected": false,
        "result": "clean site"
      },
      "AlienVault": {
        "detected": false,
        "result": "clean site"
      },
      "Emsisoft": {
        "detected": false,
        "result": "clean site"
      },
      "Malc0de Database": {
        "detected": false,
        "result": "clean site",
        "detail": "http://malc0de.com/database/index.php?search=xxxxxxx"
      },
      "malwares.com URL checker": {
        "detected": false,
        "result": "clean site"
      },
      "Phishtank": {
        "detected": false,
        "result": "clean site"
      },
      "Malwared": {
        "detected": false,
        "result": "clean site"
      },
      "Avira": {
        "detected": false,
        "result": "clean site"
      },
      "Baidu-International": {
        "detected": false,
        "result": "clean site"
      },
      "CyberCrime": {
        "detected": false,
        "result": "clean site"
      },
      "Antiy-AVL": {
        "detected": false,
        "result": "clean site"
      },
      "SCUMWARE.org": {
        "detected": false,
        "result": "clean site"
      },
      "FraudSense": {
        "detected": false,
        "result": "clean site"
      },
      "Comodo Site Inspector": {
        "detected": false,
        "result": "clean site"
      },
      "Malekal": {
        "detected": false,
        "result": "clean site"
      },
      "ESET": {
        "detected": false,
        "result": "clean site"
      },
      "Sophos": {
        "detected": false,
        "result": "unrated site"
      },
      "Yandex Safebrowsing": {
        "detected": false,
        "result": "clean site",
        "detail": "http://yandex.com/infected?l10n=en&url=xxxxxx"
      },
      "SecureBrain": {
        "detected": false,
        "result": "clean site"
      },
      "Nucleon": {
        "detected": false,
        "result": "clean site"
      },
      "Malware Domain Blocklist": {
        "detected": false,
        "result": "clean site"
      },
      "Blueliv": {
        "detected": false,
        "result": "clean site"
      },
      "ZCloudsec": {
        "detected": false,
        "result": "clean site"
      },
      "AutoShun": {
        "detected": false,
        "result": "unrated site"
      },
      "ThreatHive": {
        "detected": false,
        "result": "clean site"
      },
      "FraudScore": {
        "detected": false,
        "result": "clean site"
      },
      "Rising": {
        "detected": false,
        "result": "clean site"
      },
      "URLQuery": {
        "detected": false,
        "result": "unrated site"
      },
      "StopBadware": {
        "detected": false,
        "result": "unrated site"
      },
      "Sucuri SiteCheck": {
        "detected": false,
        "result": "clean site"
      },
      "Fortinet": {
        "detected": false,
        "result": "clean site"
      },
      "ZeroCERT": {
        "detected": false,
        "result": "clean site"
      },
      "Spam404": {
        "detected": false,
        "result": "clean site"
      },
      "securolytics": {
        "detected": false,
        "result": "clean site"
      }
    }
  },
  "summary": {
    "taxonomies": [
      {
        "predicate": "Score",
        "namespace": "VT",
        "value": "\"0\"",
        "level": "info"
      }
    ]
  },
  "success": true
}
jeromeleonard added a commit that referenced this issue Jul 13, 2017
@jeromeleonard
#74 fix short report for scan service
90364c9
@jeromeleonard
Copy link
Contributor

Thx for reporting the issue. git pull to get the hotfix.

@jeromeleonard jeromeleonard self-assigned this Jul 13, 2017
@jeromeleonard jeromeleonard added this to the 1.5.1 milestone Jul 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeromeleonard jeromeleonard

Labels
None yet
Projects
None yet
Milestone
1.5.1
Development

No branches or pull requests
2 participants
@jeromeleonard @BrevilleBro