PowerShell Anti-Virus with VirusTotal API

tl;dr We use PowerShell to continuously monitor any executed .exe files then get the file locations and pass it to the VirusTotal API to get a virus report. We use an “if else” statement to make a decision to alert our “Security Team” and to remove that file from Windows. The advantage of using this script allows the user to check with the vast amount of data in the VirusTotal database in an automated fashion. Make sure you change the variables in the Readme for PowerAV.ps1.

PowerAV is a PowerShell script designed to monitor your system processes and sends hash data to the VirusTotal cloud for analysis. This information can be very valuable/robust for your SOC (Security Operation Center), the idea would be to convert this PowerShell script to a thin client to run as a background process to monitor processes once they are triggered. This script would trip an email alert once malware was executed, see below for a screenshot of what a typical alert might look like.

Email sent from PowerAV

PowerShell — PowerAV.ps1

The PowerShell script is made of three major sections.

  1. Get-VirusTotalReport — Querying VirusTotal service using PowerShell
Get-VirusTotalReport from Microsoft

2. Setting PowerShell Variables

Setting PowerShell Variables

3. Execute the Alert

Execute the Alert

Limitations

As of right now the PowerShell Script only monitors .exe files, in the next version of PowerAV we would like to expand this to .dll, .doc, .ps1, etc. file formats. We would like to add the capability of information captured by the PowerAV script and send that data to a remote web application that would allow the SOC Analyst to log in and have a graphical representation of historical data captured by PowerAV. The last feature we will add to PowerAV is the “file Quarantine” option when the script detects a malicious file. Unfortunately, you cannot use this PowerShell Script in a corporate environment or to replace/harm the Anti-Virus industry, this is due to the Terms of Use in the VirusTotal API. This PowerShell script is strictly for educational purposes only, and we cannot tell you how to use this PowerShell script 😜

Conclusion

Using PowerAV is huge when it comes to detecting malicious files on Windows hosts. This just scratches the surface on using PowerShell as a Blue Team tactic on monitoring users and systems process. More prominently is the ability to send information in a lightweight format to the VirusTotal Cloud. We would like to see more PowerShell scripts that integrate with Vulnerability research teams such as Talos, VirusTotal, FireEye, Unit 42, etc. Let me know your thoughts in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *