I added a quota feature to virustotal-search.py’s -l (–limitrequests) option.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
-l is an option to limit the number of requests: you specify the maximum number of requests to make, and virustotal-search.py will stop once that maximum is reached. Remark that virustotal-search.py does 4 hash lookups per requests, thus if your remaining quota for the day is 1000, you can use -l 250 to perform a maximum of requests without exceeding your total quota (250 = 1000 / 4).
With this new version, you can also instruct virustotal-search.py to calculate (via the API) how much remaining quota you have, and use that to decide how much queries to perform. This is done with keyword quota:. The syntax is: -l quota:groupid,maximum,reserve.
groupid is the group ID your account belongs to. For example sans_isc.
maximum is your daily API quota: how many lookups can you do in one day.
And reserve is the number of lookups you want to save: how many lookups should remain when virustotal-search.py has finished.
Let’s try an example: assume you want virustotal-search.py to do as much queries as possible, but leave a reserve of 100 lookups. Option -l will look like this: -l quota:sans_isc,10000,100.
sans_isc is your group ID, 10000 is the daily API quota, 100 is the reserve.
If you want virustotal-search.py to query your remaining quota, without doing any lookups, use string query as reserve. Like this: l quota:sans_isc,10000,query.
In this example, 3896 lookups have been consumed, and that gives 10000 – 3896 = 6104 remaining lookups. To lookup file hashes, that means there are 6104 / 4 = 1526 remaining queries.
Thus in this case, starting virustotal-search.py with option -l quota:sans_isc,10000,0 would be the same as -l 1526. The difference is that in the first case, you don’t have to calculate the value 1526, virustotal-search does this for you.
You can combine this feature with option –sleep to have virustotal-search.py use the remaining lookups at the end of the day.
For example, virustotal-search.py –sleep 01:45:00 -l quota:sans_isc,10000,10 will have virustotal-search.py wait until it’s 01:45:00 (15 minutes before UTC midnight in CEST), then query the amount of remaining lookups, and do the lookups so as not to exceed the quota and to leave 10 lookups available.
virustotal-search_V0_1_9.zip (http)
MD5: 8A8D8C47A02D07AAA36FAB5A8667BC54
SHA256: A6062F7C3D910E8B090DF77C81BBF3A0ADE504A4F0F504325C009D9FC792B266
Article Link: Update: virustotal-search.py Version 0.1.9 | Didier Stevens