3

Using Virustotal.com API with PHP (cURL)

Posted August 26th, 2010 in php, Snippets and tagged , , by ov3rk1ll

Since I needed to scan files on my server for viruses automatically I wanted to use the Virustotal.com API.
But the API-doku didn’t have any examples in php, so i though I’ll post my way…in case anyone needs the same thing.

First I have 2 functions. One for uploading the file to virustotal. The other to get the result and parse it for the output.

virustotal_upload needs the path of the file to scan.
It will then upload the file and get back a json object containing the id of the report.

function virustotal_upload($path){
$ch = curl_init();
//Set HTTP Version to 1.0 as stated in the api-doku
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_URL, 'https://www.virustotal.com/api/scan_file.json');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

$post_array = array(
"file" => "@".$path,
//you can get the key after signing up at virustotal.com
"key" => $config['VIRUSTOTAL_API']
);

curl_setopt($ch, CURLOPT_POSTFIELDS, $post_array);
$response = curl_exec($ch);
return json_decode($response,true);
}

virustotal_parse takes the json result from a hash and parse it to a output.

function virustotal_parse($hash){
//remove the timestamp from the hash
$cut_hash = substr($hash,0,strpos($hash,"-"));
$ch = curl_init();
//Set HTTP Version to 1.0 as stated in the api-doku
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_URL, 'https://www.virustotal.com/api/get_file_report.json');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

$post_array = array(
"resource" => $cut_hash,
"key" => $config['VIRUSTOTAL_API']
);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_array);
$response = curl_exec($ch);

$json = json_decode($response,true);

$s = "";
//if its not done scanning, tell the user
if($json['result']!=1){
$s.= "Scanning...";
}else{
//if done scanning, count how many scanners found a virus
//(You can do anything else with the data you get)
$antivir = $json['report'][1];
$c = 0;
foreach($antivir as $item){
if($item!=""){
$c++;
}
}
$s.= $c."/".count($antivir);
}
//create a link to the report and return it
return('Virustotal: '.$s.'');
}

How to use:
This example code handles a file-upload to your server and sends the file to virustotal

if(isset($_FILES['file']) && $_FILES['file']['size'] > 0){ //new file
$local_name = $_FILES['file']['name'];
$type = $_FILES['file']['type'];
//the temp path should have the real filename (so the name shows up in the scann)
$temp_path = 'temp/'.$_FILES['file']['name'];
//you may put a function here to rename the file one the server
$new_path = 'file/'.$local_name;
//upload the file to the temp folder
move_uploaded_file($_FILES['file']['tmp_name'],$temp_path);
//upload the file to virustotal
$obj = virustotal_upload($temp_path);
//the scanID to store in a database along with other inforamtion about the file
$scanID = $obj['scan_id'];
//move the file from temp to final file-folder
rename($temp_path,$new_path);

//do other stuff
}

For the output you just use virustotal_parse and the $scanID as parameter
e.g.:

echo(virustotal_parse($scanID));

I hope this helps anyone who needs this functionality for a page.

3 Responses so far.

  1. Dark Prince sagt:

    Good work keep going !!

  2. John sagt:

    Hi. Does this method still work?

Leave a Reply