It was not really clear in which direction Virustotal was heading after the acquisition of the service by Google was officially announced. Some feared that it would be integrated into core Google services and shut down, while others had hopes that the service would benefit from the parent company's vast resources.
The service improved afterwards, raising the maximum file size limit to 64 Megabytes in the process and eliminating nearly all of the wait time that users of the service experienced before the acquisition.
Virustotal announced the addition of a new feature two days ago on the official company blog. The service supports the analysis of so-called PCAP data now. PCAP - PAcket CApture - files contain captured network traffic. One use in this regard is the capturing of network traffic during software installations or while software is running that you want to analyze to find out if unauthorized connections are being made, and if this is the case, to which servers. Previously, you were able to scan the file on Virustotal, but that did not necessarily tell you anything about the connections that it made while it was running.
Here is one suggestion on how to make use of the new feature:
Virustotal will scan the file with all scanners as usual, but use the intrusion detection systems Snort and Suricata afterwards to analyze the traffic. It performs a couple of operations that include:
The analysis of network traffic opens up additional possibilities in regards to Virustotal and the service that it makes available. It can be used for other purposes besides monitoring traffic of a sandboxed application. This may include logging the network traffic of a system on boot and shortly thereafter or recording browser exploitation traces.
The feature is a welcome addition to the Virustotal arsenal even though it may be used almost exclusively by security researchers. (via)
AdvertisementPlease click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Install via Sandboxiem, use Wireshark and have the PCAP file analyzed.
9.6 people out of 10 who know how to do this already know how to analyze the results. Welcome addition? Nope. I don’t even see security researchers getting any benefit —- ohhh … other than mining your data for their profit.
Get ready for it .. probably a year away from “Google Safe Haven” – to compete with the other free security suites :)
This new facility is OK, but doesn’t help too much. If you are able to capture a file using Wireshark, it is likely that you will be able to analyse it as well, and you won’t need to send it to Virustotal for that.
The interesting part is passing that capture through Snort/Suricata, a thing that normal (and even more advanced) users don’t think of doing for themselves.