Created
December 3, 2023 19:17
-
-
Save emory/38ab874bf36589fc5a55650568592bca to your computer and use it in GitHub Desktop.
using virustotal API via `vt` to analyze homebrew macOS binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cached packages | |
homebrew for macOS caches in `~/Library/Caches/Homeberw` and i figure the pkcs11 tooling i use being compromised would be a huge problem for me and everyone else using it? | |
``` | |
~/Library/Caches/Homebrew | |
% ls -la p11-kit* | |
lrwxr-xr-x 1 rlundb811 staff 118 Nov 20 11:23 p11-kit--0.25.3 -> downloads/1f29fbea9391e33f2bcc01c320d960dc11721363dd6fe42aafcef6dd194f2e05--p11-kit--0.25.3.arm64_sonoma.bottle.tar.gz | |
lrwxr-xr-x 1 rlundb811 staff 111 Oct 30 13:22 p11-kit_bottle_manifest--0.25.1 -> downloads/ad55f3d64397404e6a67b1f9518d6863ab14da4b812a227ba3cce37449c7c90c--p11-kit-0.25.1.bottle_manifest.json | |
lrwxr-xr-x 1 rlundb811 staff 111 Nov 20 11:23 p11-kit_bottle_manifest--0.25.3 -> downloads/cc547bf2f72da03680090015f5b720aff280ce33de9c33783a69c24fe97a4246--p11-kit-0.25.3.bottle_manifest.json | |
~/Library/Caches/Homebrew | |
% vt scan file p11-kit--0.25.3 | |
p11-kit--0.25.3 OGUzOTBjZjdlYmFmOWQxNTJkNzUyZGE0ODg4YjU3MTI6MTcwMTYzMDU0OQ== | |
``` | |
## analysis | |
after a few minutes i pull the analysis output: | |
``` | |
~/Library/Caches/Homebrew | |
% vt analysis OGUzOTBjZjdlYmFmOWQxNTJkNzUyZGE0ODg4YjU3MTI6MTcwMTYzMDU0OQ== | |
- _id: "OGUzOTBjZjdlYmFmOWQxNTJkNzUyZGE0ODg4YjU3MTI6MTcwMTYzMDU0OQ==" | |
_type: "analysis" | |
date: 1701630549 # 2023-12-03 13:09:09 -0600 CST | |
results: | |
ALYac: | |
category: "undetected" | |
engine_name: "ALYac" | |
engine_update: "20231203" | |
engine_version: "1.1.3.1" | |
method: "blacklist" | |
result: null | |
APEX: | |
category: "type-unsupported" | |
engine_name: "APEX" | |
engine_update: "20231128" | |
engine_version: "6.478" | |
method: "blacklist" | |
result: null | |
AVG: | |
category: "undetected" | |
engine_name: "AVG" | |
engine_update: "20231203" | |
engine_version: "23.9.8494.0" | |
method: "blacklist" | |
result: null | |
Acronis: | |
category: "undetected" | |
engine_name: "Acronis" | |
engine_update: "20230828" | |
engine_version: "1.2.0.121" | |
method: "blacklist" | |
result: null | |
AhnLab-V3: | |
category: "undetected" | |
engine_name: "AhnLab-V3" | |
engine_update: "20231203" | |
engine_version: "3.24.0.10447" | |
method: "blacklist" | |
result: null | |
Alibaba: | |
category: "type-unsupported" | |
engine_name: "Alibaba" | |
engine_update: "20190527" | |
engine_version: "0.3.0.5" | |
method: "blacklist" | |
result: null | |
Antiy-AVL: | |
category: "undetected" | |
engine_name: "Antiy-AVL" | |
engine_update: "20231203" | |
engine_version: "3.0" | |
method: "blacklist" | |
result: null | |
Arcabit: | |
category: "undetected" | |
engine_name: "Arcabit" | |
engine_update: "20231203" | |
engine_version: "2022.0.0.18" | |
method: "blacklist" | |
result: null | |
Avast: | |
category: "undetected" | |
engine_name: "Avast" | |
engine_update: "20231203" | |
engine_version: "23.9.8494.0" | |
method: "blacklist" | |
result: null | |
Avast-Mobile: | |
category: "type-unsupported" | |
engine_name: "Avast-Mobile" | |
engine_update: "20231201" | |
engine_version: "231201-00" | |
method: "blacklist" | |
result: null | |
Avira: | |
category: "undetected" | |
engine_name: "Avira" | |
engine_update: "20231203" | |
engine_version: "8.3.3.16" | |
method: "blacklist" | |
result: null | |
Baidu: | |
category: "undetected" | |
engine_name: "Baidu" | |
engine_update: "20190318" | |
engine_version: "1.0.0.2" | |
method: "blacklist" | |
result: null | |
BitDefender: | |
category: "undetected" | |
engine_name: "BitDefender" | |
engine_update: "20231203" | |
engine_version: "7.2" | |
method: "blacklist" | |
result: null | |
BitDefenderFalx: | |
category: "type-unsupported" | |
engine_name: "BitDefenderFalx" | |
engine_update: "20231121" | |
engine_version: "2.0.936" | |
method: "blacklist" | |
result: null | |
BitDefenderTheta: | |
category: "undetected" | |
engine_name: "BitDefenderTheta" | |
engine_update: "20231127" | |
engine_version: "7.2.37796.0" | |
method: "blacklist" | |
result: null | |
Bkav: | |
category: "undetected" | |
engine_name: "Bkav" | |
engine_update: "20231203" | |
engine_version: "2.0.0.1" | |
method: "blacklist" | |
result: null | |
CAT-QuickHeal: | |
category: "undetected" | |
engine_name: "CAT-QuickHeal" | |
engine_update: "20231202" | |
engine_version: "22.00" | |
method: "blacklist" | |
result: null | |
CMC: | |
category: "undetected" | |
engine_name: "CMC" | |
engine_update: "20230822" | |
engine_version: "2.4.2022.1" | |
method: "blacklist" | |
result: null | |
ClamAV: | |
category: "undetected" | |
engine_name: "ClamAV" | |
engine_update: "20231203" | |
engine_version: "1.2.1.0" | |
method: "blacklist" | |
result: null | |
CrowdStrike: | |
category: "type-unsupported" | |
engine_name: "CrowdStrike" | |
engine_update: null | |
engine_version: "1.0" | |
method: "blacklist" | |
result: null | |
Cybereason: | |
category: "type-unsupported" | |
engine_name: "Cybereason" | |
engine_update: "20231102" | |
engine_version: "1.2.449" | |
method: "blacklist" | |
result: null | |
Cylance: | |
category: "type-unsupported" | |
engine_name: "Cylance" | |
engine_update: "20231108" | |
engine_version: "2.0.0.0" | |
method: "blacklist" | |
result: null | |
Cynet: | |
category: "undetected" | |
engine_name: "Cynet" | |
engine_update: "20231203" | |
engine_version: "4.0.0.28" | |
method: "blacklist" | |
result: null | |
DeepInstinct: | |
category: "type-unsupported" | |
engine_name: "DeepInstinct" | |
engine_update: "20231203" | |
engine_version: "3.1.0.15" | |
method: "blacklist" | |
result: null | |
DrWeb: | |
category: "undetected" | |
engine_name: "DrWeb" | |
engine_update: "20231203" | |
engine_version: "7.0.61.8090" | |
method: "blacklist" | |
result: null | |
ESET-NOD32: | |
category: "undetected" | |
engine_name: "ESET-NOD32" | |
engine_update: "20231203" | |
engine_version: "28341" | |
method: "blacklist" | |
result: null | |
Elastic: | |
category: "type-unsupported" | |
engine_name: "Elastic" | |
engine_update: "20231129" | |
engine_version: "4.0.119" | |
method: "blacklist" | |
result: null | |
Emsisoft: | |
category: "undetected" | |
engine_name: "Emsisoft" | |
engine_update: "20231203" | |
engine_version: "2022.6.0.32461" | |
method: "blacklist" | |
result: null | |
F-Secure: | |
category: "undetected" | |
engine_name: "F-Secure" | |
engine_update: "20231203" | |
engine_version: "18.10.1547.307" | |
method: "blacklist" | |
result: null | |
FireEye: | |
category: "undetected" | |
engine_name: "FireEye" | |
engine_update: "20231203" | |
engine_version: "35.24.1.0" | |
method: "blacklist" | |
result: null | |
Fortinet: | |
category: "undetected" | |
engine_name: "Fortinet" | |
engine_update: "20231203" | |
engine_version: "None" | |
method: "blacklist" | |
result: null | |
GData: | |
category: "undetected" | |
engine_name: "GData" | |
engine_update: "20231203" | |
engine_version: "A:25.36918B:27.34083" | |
method: "blacklist" | |
result: null | |
Google: | |
category: "undetected" | |
engine_name: "Google" | |
engine_update: "20231203" | |
engine_version: "1700731866" | |
method: "blacklist" | |
result: null | |
Gridinsoft: | |
category: "undetected" | |
engine_name: "Gridinsoft" | |
engine_update: "20231203" | |
engine_version: "1.0.150.174" | |
method: "blacklist" | |
result: null | |
Ikarus: | |
category: "undetected" | |
engine_name: "Ikarus" | |
engine_update: "20231203" | |
engine_version: "6.2.4.0" | |
method: "blacklist" | |
result: null | |
Jiangmin: | |
category: "undetected" | |
engine_name: "Jiangmin" | |
engine_update: "20231202" | |
engine_version: "16.0.100" | |
method: "blacklist" | |
result: null | |
K7AntiVirus: | |
category: "undetected" | |
engine_name: "K7AntiVirus" | |
engine_update: "20231203" | |
engine_version: "12.129.50380" | |
method: "blacklist" | |
result: null | |
K7GW: | |
category: "undetected" | |
engine_name: "K7GW" | |
engine_update: "20231203" | |
engine_version: "12.129.50380" | |
method: "blacklist" | |
result: null | |
Kaspersky: | |
category: "undetected" | |
engine_name: "Kaspersky" | |
engine_update: "20231203" | |
engine_version: "22.0.1.28" | |
method: "blacklist" | |
result: null | |
Kingsoft: | |
category: "undetected" | |
engine_name: "Kingsoft" | |
engine_update: "20230906" | |
engine_version: "None" | |
method: "blacklist" | |
result: null | |
Lionic: | |
category: "undetected" | |
engine_name: "Lionic" | |
engine_update: "20231203" | |
engine_version: "7.5" | |
method: "blacklist" | |
result: null | |
MAX: | |
category: "undetected" | |
engine_name: "MAX" | |
engine_update: "20231203" | |
engine_version: "2023.1.4.1" | |
method: "blacklist" | |
result: null | |
Malwarebytes: | |
category: "undetected" | |
engine_name: "Malwarebytes" | |
engine_update: "20231203" | |
engine_version: "4.5.5.54" | |
method: "blacklist" | |
result: null | |
MaxSecure: | |
category: "undetected" | |
engine_name: "MaxSecure" | |
engine_update: "20231202" | |
engine_version: "1.0.0.1" | |
method: "blacklist" | |
result: null | |
McAfee: | |
category: "undetected" | |
engine_name: "McAfee" | |
engine_update: "20231203" | |
engine_version: "6.0.6.653" | |
method: "blacklist" | |
result: null | |
MicroWorld-eScan: | |
category: "undetected" | |
engine_name: "MicroWorld-eScan" | |
engine_update: "20231203" | |
engine_version: "14.0.409.0" | |
method: "blacklist" | |
result: null | |
Microsoft: | |
category: "undetected" | |
engine_name: "Microsoft" | |
engine_update: "20231203" | |
engine_version: "1.1.23100.2009" | |
method: "blacklist" | |
result: null | |
NANO-Antivirus: | |
category: "undetected" | |
engine_name: "NANO-Antivirus" | |
engine_update: "20231203" | |
engine_version: "1.0.146.25796" | |
method: "blacklist" | |
result: null | |
Paloalto: | |
category: "type-unsupported" | |
engine_name: "Paloalto" | |
engine_update: "20231203" | |
engine_version: "0.9.0.1003" | |
method: "blacklist" | |
result: null | |
Panda: | |
category: "undetected" | |
engine_name: "Panda" | |
engine_update: "20231203" | |
engine_version: "4.6.4.2" | |
method: "blacklist" | |
result: null | |
Rising: | |
category: "undetected" | |
engine_name: "Rising" | |
engine_update: "20231203" | |
engine_version: "25.0.0.27" | |
method: "blacklist" | |
result: null | |
SUPERAntiSpyware: | |
category: "undetected" | |
engine_name: "SUPERAntiSpyware" | |
engine_update: "20231203" | |
engine_version: "5.6.0.1032" | |
method: "blacklist" | |
result: null | |
Sangfor: | |
category: "undetected" | |
engine_name: "Sangfor" | |
engine_update: "20231122" | |
engine_version: "2.23.0.0" | |
method: "blacklist" | |
result: null | |
SentinelOne: | |
category: "type-unsupported" | |
engine_name: "SentinelOne" | |
engine_update: "20231119" | |
engine_version: "23.4.2.3" | |
method: "blacklist" | |
result: null | |
Skyhigh: | |
category: "undetected" | |
engine_name: "Skyhigh" | |
engine_update: "20231203" | |
engine_version: "v2021.2.0+4045" | |
method: "blacklist" | |
result: null | |
Sophos: | |
category: "undetected" | |
engine_name: "Sophos" | |
engine_update: "20231203" | |
engine_version: "2.4.3.0" | |
method: "blacklist" | |
result: null | |
Symantec: | |
category: "undetected" | |
engine_name: "Symantec" | |
engine_update: "20231203" | |
engine_version: "1.21.0.0" | |
method: "blacklist" | |
result: null | |
SymantecMobileInsight: | |
category: "type-unsupported" | |
engine_name: "SymantecMobileInsight" | |
engine_update: "20230119" | |
engine_version: "2.0" | |
method: "blacklist" | |
result: null | |
TACHYON: | |
category: "undetected" | |
engine_name: "TACHYON" | |
engine_update: "20231203" | |
engine_version: "2023-12-03.02" | |
method: "blacklist" | |
result: null | |
Tencent: | |
category: "undetected" | |
engine_name: "Tencent" | |
engine_update: "20231203" | |
engine_version: "1.0.0.1" | |
method: "blacklist" | |
result: null | |
Trapmine: | |
category: "type-unsupported" | |
engine_name: "Trapmine" | |
engine_update: "20231106" | |
engine_version: "4.0.14.97" | |
method: "blacklist" | |
result: null | |
TrendMicro: | |
category: "undetected" | |
engine_name: "TrendMicro" | |
engine_update: "20231203" | |
engine_version: "11.0.0.1006" | |
method: "blacklist" | |
result: null | |
TrendMicro-HouseCall: | |
category: "undetected" | |
engine_name: "TrendMicro-HouseCall" | |
engine_update: "20231203" | |
engine_version: "10.0.0.1040" | |
method: "blacklist" | |
result: null | |
Trustlook: | |
category: "type-unsupported" | |
engine_name: "Trustlook" | |
engine_update: "20231203" | |
engine_version: "1.0" | |
method: "blacklist" | |
result: null | |
VBA32: | |
category: "undetected" | |
engine_name: "VBA32" | |
engine_update: "20231201" | |
engine_version: "5.0.0" | |
method: "blacklist" | |
result: null | |
VIPRE: | |
category: "undetected" | |
engine_name: "VIPRE" | |
engine_update: "20231203" | |
engine_version: "6.0.0.35" | |
method: "blacklist" | |
result: null | |
Varist: | |
category: "undetected" | |
engine_name: "Varist" | |
engine_update: "20231203" | |
engine_version: "6.5.1.2" | |
method: "blacklist" | |
result: null | |
ViRobot: | |
category: "undetected" | |
engine_name: "ViRobot" | |
engine_update: "20231203" | |
engine_version: "2014.3.20.0" | |
method: "blacklist" | |
result: null | |
VirIT: | |
category: "undetected" | |
engine_name: "VirIT" | |
engine_update: "20231201" | |
engine_version: "9.5.591" | |
method: "blacklist" | |
result: null | |
Webroot: | |
category: "type-unsupported" | |
engine_name: "Webroot" | |
engine_update: "20231203" | |
engine_version: "1.0.0.403" | |
method: "blacklist" | |
result: null | |
Xcitium: | |
category: "undetected" | |
engine_name: "Xcitium" | |
engine_update: "20231203" | |
engine_version: "36228" | |
method: "blacklist" | |
result: null | |
Yandex: | |
category: "undetected" | |
engine_name: "Yandex" | |
engine_update: "20231203" | |
engine_version: "5.5.2.24" | |
method: "blacklist" | |
result: null | |
Zillya: | |
category: "undetected" | |
engine_name: "Zillya" | |
engine_update: "20231201" | |
engine_version: "2.0.0.5006" | |
method: "blacklist" | |
result: null | |
ZoneAlarm: | |
category: "undetected" | |
engine_name: "ZoneAlarm" | |
engine_update: "20231203" | |
engine_version: "1.0" | |
method: "blacklist" | |
result: null | |
Zoner: | |
category: "undetected" | |
engine_name: "Zoner" | |
engine_update: "20231203" | |
engine_version: "2.2.2.0" | |
method: "blacklist" | |
result: null | |
tehtris: | |
category: "type-unsupported" | |
engine_name: "tehtris" | |
engine_update: "20231203" | |
engine_version: null | |
method: "blacklist" | |
result: null | |
stats: | |
confirmed-timeout: 0 | |
failure: 0 | |
harmless: 0 | |
malicious: 0 | |
suspicious: 0 | |
timeout: 0 | |
type-unsupported: 16 | |
undetected: 60 | |
status: "completed" | |
~/Library/Caches/Homebrew | |
``` | |
tada | |
so if you ran incoming packages through a pipeline to `vt scan file <path>` and were also pulling results in a timely fashion and alerting on possible malicious packages you would be pretty close a product you could sell people or end up geting case and desisted from google for blowing up the vt API 😂 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment