Check virustotal-scan-url¶
Overview¶
Submits a URL to VirusTotal for analysis and checks the scan results. Alerts when any antivirus engine flags the URL as malicious or suspicious. Useful for periodically scanning critical URLs against 90+ security vendors.
Important Notes:
Requires a VirusTotal account and API key
Takes at least 60 seconds to execute due to the built-in wait for analysis completion
See the VirusTotal documentation on any constraints and restrictions, especially for commercial use (Premium API may be required for business workflows)
Data Collection:
Submits the URL to the VirusTotal v3 API (
POST /urls)Waits 60 seconds for the analysis to complete
Retrieves the full analysis report via the VirusTotal Analysis endpoint (
GET /analyses/{id})Reports per-engine results for any detection that is not „harmless“ or „undetected“
Fact Sheet¶
Fact |
Value |
|---|---|
Check Plugin Download |
https://github.com/Linuxfabrik/monitoring-plugins/tree/main/check-plugins/virustotal-scan-url |
Nagios/Icinga Check Name |
|
Check Interval Recommendation |
Every hour |
Can be called without parameters |
No ( |
Runs on |
Cross-platform |
Compiled for Windows |
No |
Requirements |
VirusTotal account and API key; Premium API if used in commercial products/services |
Help¶
usage: virustotal-scan-url [-h] [-V] [--always-ok] [--insecure] [--no-proxy]
[--severity {warn,crit}] [--test TEST]
[--timeout TIMEOUT] --token TOKEN --url URL
Submits a URL to VirusTotal for analysis and checks the scan results. Alerts
when any antivirus engine flags the URL as malicious or suspicious. Requires a
VirusTotal API key.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
--always-ok Always returns OK.
--insecure This option explicitly allows insecure SSL
connections.
--no-proxy Do not use a proxy.
--severity {warn,crit}
Severity for alerting. Default: warn
--test TEST For unit tests. Needs "path-to-stdout-file,path-to-
stderr-file,expected-retc".
--timeout TIMEOUT Network timeout in seconds. Default: 8 (seconds)
--token TOKEN VirusTotal API token.
--url URL URL to submit for scanning.
Usage Examples¶
./virustotal-scan-url --token=b480bd43 --url=https://secure.eicar.org/eicar.com
Output:
9/97 security vendors flagged https://secure.eicar.org/eicar.com as malicious.
Engine ! Result ! Method ! Category
------------+------------+-----------+--------------------
Antiy-AVL ! malicious ! blacklist ! malicious [WARNING]
AutoShun ! malicious ! blacklist ! malicious [WARNING]
BitDefender ! malware ! blacklist ! malicious [WARNING]
CRDF ! malicious ! blacklist ! malicious [WARNING]
Fortinet ! malware ! blacklist ! malicious [WARNING]
G-Data ! malware ! blacklist ! malicious [WARNING]
Lionic ! malware ! blacklist ! malicious [WARNING]
Sophos ! malware ! blacklist ! malicious [WARNING]
URLQuery ! suspicious ! blacklist ! suspicious
VIPRE ! malware ! blacklist ! malicious [WARNING]
States¶
OK if no scan engine categorizes the URL as malicious.
WARN (or CRIT, depending on
--severity) if any scan engine categorizes the URL as „malicious“.UNKNOWN if the analysis is still queued or in progress.
--always-oksuppresses all alerts and always returns OK.
Perfdata / Metrics¶
According to https://docs.virustotal.com/reference/analyses-object:
Name |
Type |
Description |
|---|---|---|
harmless |
Number |
Number of reports saying the URL is harmless. |
malicious |
Number |
Number of reports saying the URL is malicious. |
suspicious |
Number |
Number of reports saying the URL is suspicious. |
timeout |
Number |
Number of timeouts when analysing this URL. |
undetected |
Number |
Number of reports saying the URL is undetected. |
vendors |
Number |
Total number of scan vendors used. |
Credits, License¶
Authors: Linuxfabrik GmbH, Zurich
License: The Unlicense, see LICENSE file.