mime2vt.py
Unpack MIME attachments from STDIN and check them against virustotal.com Use it indepently:
cat /tmp/mail.dump | mime2vt -c /etc/mime2vt.conf
Or via tools like Procmail:
:0 * ^X-Spam-Flag: YES { :0c | /usr/local/bin/mime2vt.py -d /tmp/mime -c /home/xavier/.mime2vt.conf :0 spam }
Usage
mime2vt.py [-h] [-d DIRECTORY] [-v] [-c CONFIG] Unpack MIME attachments from a file and check them against virustotal.com optional arguments: -h, --help show this help message and exit -d DIRECTORY, --directory DIRECTORY directory where files will be extracted (default: /tmp) -v, --verbose verbose output -c CONFIG, --config CONFIG configuration file (default: /etc/mime2vt.conf)
Results
Information is sent via Syslog:
Dec 12 18:41:20 marge mime2vt.py[1104]: Processing zip archive: 4359ae6078390f417ab0d4411527a5c2.zip Dec 12 18:41:21 marge mime2vt.py[1104]: File: VOICE748-348736.scr (acb05e95d713b1772fb96a5e607d539f) Score: 38/53 Scanned: 2014-11-13 15:45:04 (29 days, 2:56:17)
A SQLite database is created to store useful information about the malicious files:
CREATE TABLE files(md5 TEXT PRIMARY KEY, filename TEXT, first_vt_score TEXT, last_vt_score TEXT, first_seen DATETIME DEFAULT CURRENT_TIMESTAMP, last_seen DATETIME DEFAULT CURRENT_TIMESTAMP, occurrences INTEGER )
The database is created automatically if not present.
Requirements
sudo pip install python-dateutil sudo pip install elasticsearch sudo pip install virustotal-api