NB: This is a free tool and it is not supported by McAfee / Intel Security.

What is it?

A python script used to convict files automatically based on VirusTotal results.

How does it work?

When a file is executed on an endpoint with the TIE/DXL modules, a determination on the reputation is established. An event is generated and sent to ePO, based on that, we launch an "Automatic Response" that will execute a python script that will query VirusTotal for the SHA1 hash of the file in question. Based on the results (ie. number of vendors that found the file malicious) and do any of the major vendors find this file malicious (Trend, Symantec, Sophos, Kaspersky), the reputation of the file is changed and, because the change of reputation is sent thru the DXL, the file is removed from the endpoint. Also, if the file was running at the time, the process is killed. An "Issue" is also created in ePO with the details on the file (name, hash, percentage of vendors that found the file malicious etc.)

Things to know about VirusTotal

In order to use this script, you need to get an API key. Note that the "free" API limits you to 4 requests per minute. If you need more, you would need to purchase a Private API from them. Contact them for prices.

How to install

• Download the "Python Remote Client" from the Software Manager in ePO.

• Extract it and copy the folder "Python27" in the c: drive of the ePO server.
• Copy "convicter.py" (found below) in that folder. You need to enter the ePO admin/password and your API key in the the script. Look for "Fill these in".
• Register "c:\python27\python.exe" as a "Registered Executables". NB: You have to do this on the ePO server itself or else the option is grayed out. This is for security reasons.

• Create an "Automatic Response" as follows and choose to "Trigger this response on every event":

• You can choose the appropriate group or subgroup that is pertinent to you.

• Make sure that {targetFileName} in enclosed in "". This is to ensure that filenames with path and space will be handled correctly (ie. c:\program files\directory 1\filename.exe)
• 40 represents the percent you would want to convict at, given the VirusTotal results. This is the "Detection Ratio" on VirusTotal.
  • For example, the VirusTotal percent below would be %43.86(25/57), which is higher then the 40 specified in the arguments, so this part would be true.
  • Minimum value is 1 maximum is 100.
• 2 represents the number of major AV vendors (Trend, Symantec, Sophos, Kaspersky) that would have to detect this file also in order to change the file's reputation.
  • minimum value is 0 and maximum is 4
• Both arguments have to be true (equal or higher) in order for the file reputation change to occur. So if 3 major AV vendors found the sample to be malicious and you had set the threshold to 2, then it would considered to be true.

• An "Issue" is also created in ePO to see the action taken (or not) on files. There's also a "log.txt" file created in the python directory on the ePO server.

Things to know about Convicter

• Only works if there's an event generated by TIE and sent to ePO, otherwise, the "Automatic Responses" cannot by triggered.
  • The best way to do this is to "prompt" the user on what to do when an "Unknown" file is executed. This is under the "TIE Module for VSE" policy under "End User Prompting". This however is not the default configuration.
• Have done some testing (with version 1.0 of TIE/DXL) on it with different scenarios/files but please report bugs/others here so I can correct them.
  • The testing was done in my small environment, so, given the limitation of the "free" VirusTotal API (4 requests per minute), your mileage may vary. Good to keep that in mid.
• If errors occurs or the script does not appear to be working, please look at the "log.txt" file in the "c:\python27" directory. It will give you information on what went wrong (ie not enough arguments, arguments out of range, VirusTotal not reachable etc..).

Video

Quick video to demo it.

Have fun.

Regards,

JL Denis