Monday, November 29, 2021

November 29th, 2021 - SSO, Extended crowdsourced YARA detection and new relations

What's new? 

  • SSO Authentication. Users can now sign in  or sign up to VirusTotal via single sign-on. 3 identity providers have been added: Google, Twitter and GitHub. Microsoft will soon follow, SAML soon thereafter. The new SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Gmail account, for example, you may still use SSO as a more convenient way to log in to VirusTotal. 

What has changed?

  • Numeric identifiers for crowdsourced YARA rulesets. Numeric identifiers for existing Crowdsourced YARA rulesets have changed. This means that searches like crowdsourced_yara_rule:002735f19d|PyInstaller may return 0 results if 002735f19d is an old identifier. All links in our UI already have the new identifiers, so this should affect only those users that stored the identifiers on their side and may be using them to run periodic searches.

Friday, July 5, 2019

, , , ,

June 2019 - Retrohunt over goodware corpus, APIv3 file feed and more

What's new?

  • Retrohunt users can now run their rules against a goodware corpus for rule QA testing. VT Hunting allows users to run Yara rules back in time against VirusTotal submissions. When writing Yara rules it is often difficult to test the quality of the rules and make sure that they do not produce too many false positives and hence too much noise. VT Hunting's Retrohunt now allows you to run Yara rules against a corpus of goodware, in order to make sure that the rules that you craft do not trigger false positives. Users can now test their rules prior to running a fully fledged retrohunt and/or prior to deploying them in VT Hunting Livehunt.
  • File feed implementation in APIv3. APIv3 has not yet been officially announced, however, it has already been stable for nearly two years and many users have already started to adopt it. APIv3 was missing the file and URL feed, i.e. the stream of reports for every single file or URL processed by VirusTotal live. The file feed endpoint has now been implemented in APIv3 and is documented at:

What's improved?

  • One-click away pivoting within file details, file behavior and file-submission report tabs. Many users overlook the fact that VT Intelligence indexes most of the metadata that VirusTotal generates for the files that it processes, this includes all of the data produced by tools that run on the binaries, e.g. file signature details. When passing the mouse over items in the file details, file behavior and file submission tabs they will now turn blue (link style) in the event that the particular field you are looking at is searchable with VT Intelligence. Upon clicking those elements you will trigger the pertinent search for other files sharing the same property.
  • Preview of resolutions for subdomains in domain reports. One of the relationships highlighted in domain reports is the subdomains of the pertinent domain name. Up until now this was a plain list that would link to the pertinent report on the specific subdomain under consideration. This list now displays a preview of the resolutions for the particular subdomain, the full list is displayed upon following the link to the subdomain report.
  • Flatten and simplify VT Enterprise UI. Following feedback from multiple users we have started to flatten the new VT Enterprise UI, making sure there is not a mix of colors and styles that distracts researchers from their core goal when using the platform. This includes small tweaks such as forcing grayscale on file desktop icon images and recovering its original color only when hovering over the particular file result row.

What's fixed?

  • VT Intelligence multisearch regular expression. VT Enterprise users can paste any random text into the main search bar in VirusTotal, the text will get automatically parsed and relevant indicators of compromise will be extracted (hashes, domains, IP addresses and URLs), then a search for all those observables will be conducted. The pattern to match hashes was not matching hashes immediately preceeded by random text and a colon, without any other stop character. This has been fixed and now repeated strings of the form whatever:2340620f189d821181d42f03eff4cc30c19f576514c5eebad83ad011cabf989a should match. This specifically applies to the text downloadable output of retrohunt jobs.
  • APIv3 search and download endpoint quota consumption. When using APIv3 there was a bug whereby calls to the file search and file downloads endpoints would end up consuming VT Intelligence search and download quota even if you had licensed the premium API. As of now the logic always benefits the user, if you only have VT Intelligence access it will consume search and download quota, if you have both VT Intelligence and VT Premium API or just VT Premium API, it will consume API lookup quota.
  • Display ROM BIOS inner PE GUIDs. The new VT Enterprise UI was missing the GUIDs for PE files found within ROM BIOS images, this data point has been recovered and can be seen upon opening the details of the pertinent contained artefact.