Virus Hunting: Use VirusTotal More Flexibly via Command Line

Contents

Google's online service VirusTotal (VT) is probably the most popular go-to for malware scans by private users and professionals alike. Via the web interface, individual files or suspicious URLs can be submitted with just a few clicks. VT examines them with scan engines from multiple providers, performs dynamic and static analyses, and bundles all information into a detailed report.

However, beyond simple use cases, the service's graphical interface quickly reaches its limits. For example, if you want to scan the contents of an entire folder, not just a single file, as quickly as possible in the event of an acute malware infection. Or if, in the course of a compromise, you want to know whether some of the suspicious IP addresses from your log files have already appeared in previous VT analyses.

The "VirusTotal Command-Line Interface", or vt-cli for short, saves you time-consuming individual uploads or search queries in such situations. The command-line-based helper tool decouples VirusTotal functions from the web interface by directly accessing the underlying API. This allows you to use the familiar scan and search functions of VT via simple terminal commands and also adapt the output to your individual needs.

This article explains how to perform quick batch scans with the free tool available for Linux, Windows, and macOS, filter results, and specifically search the VT platform for relevant threat information. It also provides an initial impression of how developers can use vt-cli to script VirusTotal queries without having to deal with the intricacies of the programming interface.

Download and setup

vt-cli is an official VirusTotal project whose source code is hosted on GitHub. The quickest way to get it running on your own system is to use the pre-compiled binaries. At the time of this article's publication, these are available for download in version 1.2.0.

No installation is necessary: after extracting the standalone "vt" application, simply copy it to the desired directory and start it with the command-line command vt init. In our test run with Windows 11 and a fresh installation of the Debian-based Kali Linux in VirtualBox, this worked without problems each time. Those who prefer to compile the project programmed in Go themselves can follow the short instructions in Readme.MD.

The vt-cli documentation contains usage examples that cleverly and practically combine the provided VirusTotal functions with Unix commands like cat or grep . To use these examples unchanged under Windows, the vt-cli developers recommend additionally installing the free Cygwin runtime environment. The Cygwin terminal understands Unix commands and, according to the vt-cli team, also offers performance advantages over the standard Windows console when outputting large amounts of text.