Free Open Source Self Hosted VirusTotal: Malice
Malice’s mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.’
Ubuntu Install:
Install Go
$ sudo add-apt-repository ppa:ubuntu-lxc/lxd-stable $ sudo apt-get update $ sudo apt-get install golang # You should add these two lines to you .bashrc file. $ export GOPATH=$HOME $ export PATH=$PATH:$GOPATH/bin
Install Docker
$ sudo apt-get update $ sudo apt-get install apt-transport-https ca-certificates $ sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D $ echo "deb https://apt.dockerproject.org/repo ubuntu-trusty main" > sudo tee -a /etc/apt/sources.list.d/docker.list $ sudo apt-get update $ sudo apt-get install docker-engine $ sudo usermod -aG docker $USER # You might have to logout for change to take effect
Install Malice
$ sudo apt-get install libmagic-dev build-essential $ go get github.com/maliceio/malice
Download All Malice Plugins
$ malice plugin update --all
NOTE: pulling down all of the plugins can take a long time depending on your network speed.
Run Malice
$ export MALICE_VT_API=<YOUR API KEY> $ malice
NOTE: Malice has just created a
.malicein your home directory. This is used to store theconfig/plugininfo as well as to store the samples that you scan.
Usage: malice [OPTIONS] COMMAND [arg...] Open Source Malware Analysis Framework Version: 0.1.0-alpha, build HEAD Author: blacktop - <https://github.com/blacktop> Options: --debug, -D Enable debug mode [$MALICE_DEBUG] --help, -h show help --version, -v print the version Commands: scan Scan a file lookup Look up a file hash elk Start an ELK docker container web Start, Stop Web services plugin List, Install or Remove Plugins help Shows a list of commands or help for one command Run 'malice COMMAND --help' for more information on a command.
[adsense size='1']
Plugin List
| Name | Description | Enabled | Image | Category | Mime |
|---|---|---|---|---|---|
| nsrl | NSRL Database Hash Search | false | malice/nsrl | intel | hash |
| virustotal | VirusTotal – files scan and hash lookup | true | malice/virustotal | intel | hash |
| shadow-server | ShadowServer – hash lookup | true | malice/shadow-server | intel | hash |
| team-cymru | TeamCymru – hash lookup | false | malice/team-cymru | intel | hash |
| fileinfo | ssdeep/TRiD/exiftool | true | malice/fileinfo | metadata | * |
| yara | YARA Scan | true | malice/yara | av | * |
| avast | Avast AntiVirus | false | malice/avast | av | * |
| avg | AVG AntiVirus | true | malice/avg | av | * |
| bitdefender | Bitdefender AntiVirus | true | malice/bitdefender | av | * |
| clamav | ClamAV | true | malice/clamav | av | * |
| comodo | Comodo AntiVirus | true | malice/comodo | av | * |
| fprot | F-PROT AntiVirus | true | malice/fprot | av | * |
| f-secure | F-Secure AntiVirus | true | malice/f-secure | av | * |
| sophos | Sophos AntiVirus | true | malice/sophos | av | * |
| pe | PE – tool to triage portable executables | false | malice/pe | exe | application/x-dosexec |
| floss | FireEye Labs Obfuscated String Solver | true | malice/floss | exe | application/x-dosexec |
| office | Office – tool to triage OLE/RTF documents | false | malice/office | document | * |
| PDF – tool to triage PDF documents | false | malice/pdf | document | application/pdf | |
| javascript | Javascript – tool to triage JS scripts | false | malice/javascript | document | application/javascript |
| zip | Zip – tool to unarchive archives | false | malice/zip | archive | archive |
https://github.com/maliceio/malice
Gloss