LogRhythm Strategic Integrations Team
zack[dot]rowland@logrhythm[dot]com
julian[dot]crowley@logrhythm[dot]com
v1.0 -- July, 2018
SmartResponse Plugin/C# Code - Copyright 2018 LogRhythm Inc. - See licensing details below
This SmartResponse plugin submits a file or URL to VirusTotal (www.virustotal.com) for analysis. VirusTotal leverages over 70 antivirus scanners, URL/domain blacklisting services, and malware analysis tools to extract signals from submitted content. Information returned by VirusTotal can include:
- Detection information from multiple scan engines
- The date of the first scan/file submission
- For executable files, detailed information such as function imports, embedded resources, and other metadata
- Positive detection ratio - How many engine(s) flagged the file/URL as malicious
The plugin's core consists of an open-source .NET CLI executable ("lrvt") which can also be used outside of LogRhythm/SmartResponse.
We've primarily designed this plugin around "on-demand" execution via the LogRhythm Web Console. For related functionality (with different abilities such as being able to e-mail the VirusTotal scan results), please check out Greg Foss' VirusTotal SmartResponse plugin/PowerShell script available here: https://github.com/LogRhythm-Labs/VirusTotal
The "lrvt" .NET CLI executable was originally developed and compiled using Visual Studio 2015 Community Edition:
- The project's "target framework" is: .NET Framework 4.5.2 (it is highly likely that newer versions of .NET should work without any issues)
- The project leverages the Json.NET "Newtonsoft.Json" package/code (v11.02) to process JSON returned by VirusTotal. This package was added to the project in Visual Studio using the NuGet package manager.
Building the Visual Studio solution (project) can be performed by:
- Opening the "lrvt" Visual Studio project using Visual Studio 2015 (or later)
- Select either "Debug" or "Release" configuration from the "Solution Configurations" pulldown menu (located by default in the Visual Studio editor toolbar)
- Select the "Build" menu > Select "Build Solution"
- Visual Studio will compile the executable, placing it in the corresponding "Debug" or "Release" folder (depending on the selected configuration)
- This completes the build process for the "lrvt" executable. If you are going to then proceed to build the SmartResponse plugin itself:
- Copy all files generated by Visual Studio from the "Debug" (or "Release") folder into "src/Plugin/bin"
- Launch the LogRhythm Console, open "Deployment Manager"
- Select "Tools" menu > "Administration" > "SmartResponse Plugin Manager"
- Click the "Create Plugin" button, click "Browse"
- Navigate to the local directory that contains the "src\Plugin" folder. Select the "Plugin" folder and click "Ok"
- Click the "Validate" button - The validation process should execute and return no errors
- Click the "Create" button. The plugin will be created, and you will be prompted to select a location for saving the plugin file (.lpi file)
For instructions and information about the VirusTotal SmartResponse plugin, please refer to the plugin documentation (available in the "doc" folder on this repository or on LogRhythm Community).
For executing the "lrvt" program by itself, the program uses the following syntax (executed via the Windows command line or PowerShell command line):
Scan File:
lrvt.exe --scan-file [FILE_NAME] [VIRUSTOTAL_API_KEY]
Scan URL:
lrvt.exe --scan-url [URL] [VIRUSTOTAL_API_KEY]
Copyright 2018 LogRhythm Inc.
C# .NET code is Licensed under the MIT License. See LICENSE file in the project root for full license information.
LogRhythm integrated code (SmartResponse and Dashboards) is licensed pursuant to the LogRhythm End User License Agreement located at https://logrhythm.com/about/logrhythm-terms-and-conditions/ (“License Agreement”) and by downloading and using this content you agree to the terms and conditions of the License Agreement unless you have a separate signed end user license agreement with LogRhythm in which case that signed agreement shall govern your licensed use of this content. For purposes of the applicable end user license agreement, this content constitutes LogRhythm Software.