Setting up a VirusTotal Connection

Verify Privilege Manager can perform real-time reputation checks for any unknown applications by integrating with analysis tools like VirusTotal. This article shows how to set up the integration between Verify Privilege Manager and VirusTotal and then create a monitoring policy in Verify Privilege Manager for reputation checking.

VirusTotal API Key

As a first step the VirusTotal Ratings Provider has to be configured. For this,

  1. Sign up for a Free VirusTotal account at https://www.virustotal.com/.
  2. Sign in to VirusTotal and find your API key under your Username | Settings | API Key.

Install VirusTotal

As a second step VirusTotal needs to be installed in Verify Privilege Manager.

You need outbound access on your server for that installation.

  1. Open a browser on your Verify Privilege Manager Web Server.

  2. Browse to https://YourInstanceName/TMS/Setup/.

  3. On the Currently Installed Products screen, choose Install/Upgrade Products.

  4. Check the IBM Security VirusTotal Reputation Connector, click Install. Then Accept the End User License Agreement. You will see your Installation Progress.

    Note: If the installation of VirusTotal initially fails, redirect to https://YourInstanceName/TMS/Setup/ and click the Repair button next to the VirusTotal Product.

  5. Navigate to Thycotic Verify Privilege Manager | Admin | Configuration | Reputation tab.

  6. Select VirusTotal Rating Provider from the Select Rating Provider drop down menu.

    Select Rating Provider: VirusTotal Rating Provider

  7. Enter the VirusTotal API Key, click Update.

  8. Enter information under Details and specify settings for Suspect and Bad classifications.

  9. Click Save Changes.

VirusTotal can be used without API Key. If the free version is used, reputation checks are limited to 4 per Minute. IBM Security does not recommend this for a production environment.

For the implementation example below, we are creating two filters, using one default filter, and creating a policy. One filter is the standard Security Rating Filter the other filter controls, that we only send applications to VirusTotal for a reputation check that are in the user's Downloads and Temp directories.

Further details about creating a Security Rating Filter and other needed filters to work with reputation checking policies refer to the Reputation Checking topic.