Valkyrie Verdict Cross Platform Command-Line Scanner
One of the key benefits of Valkyrie Verdict is its ability to give a trusted verdict within 45 seconds on 92% of files (after automated analysis), and 4 hours on the remaining 8% (after human analysis). Our industry leading auto-analysis consists of several static and dynamic techniques, including state-of-the-art machine learning, precise detectors and dynamic behavior signatures.
Nevertheless, it is impossible to provide 100% threat visibility using automated techniques alone as many problems in malware analysis have been shown to be undecidable [1, 2]. Many of these results are based on the fact that precisely deciding whether a given program/input satisfies a certain post-condition, for an arbitrary post-condition, is undecidable. The proofs are based on two general techniques:
* Either they build a self-contradictory program assuming the existence of a decider for the given problem, similar to [3]
* They give a reduction from a well-known undecidable problem, such as the Halting Problem, similar to [4]
The 8% of unclassified files that require further testing are then analyzed by human experts who specialize in identifying complex and zero-day malware samples. Verdicts on these files are available to our users after 4-hours according to our SLA. Valkyrie customers can be confident that 100% of threats have been correctly identified after this 4 hour period. This isn’t some wild marketing claim - it is a scientific ‘100%’ built on the candid recognition that even the most advanced automatic tests available today cannot provide the correct verdict on all files. For those that remain, human analysis is absolutely essential. Users should always beware vendors that claim total protection based on automated mechanisms alone.
Customers who also use Comodo security solutions on their network are, of course, completely safe during this four-hour period. The 8% of unknown files will be isolated in a secure virtual container which cannot access other processes, system files or user data.
But what about using this great trusted malware detection service in your infrastructure? Now with VVCLS (Valkyrie Verdict Command-Line Scanner) you can scan any file / folder in your server, get latest analysis results of unknown files located in your environment. Moreover, by integrating scanner to other applications or processes, it is possible to develop any kind of next-generation verdicting application easily. VVCLS supports same command-line interface with popular open-source malware detection tool ClamAV, so it requires short amount of time to replace it with Valkyrie Verdict.
How it Works
Valkyrie Verdict Command Line Scanner is a cross-platform command-line executable that scan and analysis files seen in endpoints using Valkyrie Verdict. It supports several command line options to run and can use different configuration values through its configuration file. There is no installation of VVCLS in Linux / Windows environments and it is ready to be used via command line just our-of-box.
Supported Command-Line Options
VVCLS supports following options from command-line:
| Option | Shortcut | Details | Support Platforms |
|---|---|---|---|
| --help | -h | Print this help screen | Linux, Windows |
| --version | -V | Print version number | Linux, Windows |
| --verbose | -v | Be verbose | Linux, Windows |
| --quiet | Only output error messages | Linux, Windows | |
| --stdout | Write to stdout instead of stderr | Linux, Windows | |
| --infected | -i | Only print infected files | Linux, Windows |
| --suppress-ok-results | -o | Skip printing OK (Safe) files | Linux, Windows |
| --no-summary | Do not display summary at the end of scanning | Linux, Windows | |
| --log=FILE | -l FILE | Save scan report to FILE | Linux, Windows |
| --recursive[=yes/no(*)] | -r | Scan sub-directories recursively | Linux, Windows |
| --file-list=FILE | -f FILE | Scan files from FILE which includes files' full paths | Linux, Windows |
| --file-hash-list=FILE | -H HASH_LIST_FILE | Scan files from FILE which includes a hash list | Linux, Windows |
| --remove[=yes/no(*)] | Remove infected files. | Linux, Windows | |
| --move=DIRECTORY | Move infected files into DIRECTORY | Linux, Windows | |
| --copy=DIRECTORY | Copy infected files into DIRECTORY | Linux, Windows | |
| --tempdir=DIRECTORY | Create temporary files in DIRECTORY default DIRECTORY = /tmp/vvclsTemp | Linux, Windows | |
| --leave-temps=[=yes/no(*)] | Do not remove temporary files | Linux, Windows | |
| --include=REGEX | Only scan file names matching REGEX | Linux, Windows | |
| --include-dir=REGEX | Only scan directories matching REGEX | Linux, Windows | |
| --exclude=REGEX | Don't scan file names matching REGEX | Linux, Windows | |
| --exclude-dir=REGEX | Don't scan directories matching REGEX | Linux, Windows | |
| --apikey APIKEY | Valkyrie Verdict API Key | Linux, Windows | |
| DIRECTORY | Scan directory | Linux, Windows | |
| --scan-archive[=yes(*)/no] | Scan archive files (supported by vvcls) | Linux, Windows | |
| --max-filesize | Maximum file size to scan in Kilobytes | Linux, Windows | |
| --max-files | The maximum number of files to scan for each container file (**) | Linux, Windows | |
| --max-recursion | Maximum archive recursion level for container file (**) | Linux, Windows | |
| --update | -u | Check previously Unknown files analysis results | Linux, Windows |
| --no-upload | -n | Do not upload unknown files for analysis | Linux, Windows |
| --cloud-scan-disabled | Disables cloud scan. | Linux, Windows |
(*) Default scan settings (**) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside. The above options ensure safe processing of this kind of data.
File Verdicts
Command-line scanner prints following file querying and analysis results to console and log file with following format (space separated):
VVCLS [Log Level] File-path File-SHA1 Verdict
Possible Verdicts
| Verdict | Explanation |
| MALWARE | File is malware |
| CLEAN | File is Clean (Safe to execute) |
| PUA | File is Potentially Unwanted Application |
| NOT-SUPPORTED | File format is not supported by Valkyrie Verdict |
| UNKNOWN (In Analysis) | File verdict is still Unknown and analysis is in progress |
| UNKNOWN | File verdict is Unknown and no analysis is being performed |
| REQUEST-LIMIT-REACHED | Your request limit for this API Key is reached in Valkyrie Verdict |
Examples
Show Usage
In order to print usage of command line scanner execute following command:
./vvcls -h
You should see following help output:
usage: tool [-h] --apikey APIKEY [-d DIRECTORY] [-f FILELIST] [-H FILEHASHLIST] [--move DIRECTORY | --copy
DIRECTORY | --remove]
[--cloud-scan-disabled] [-l FILE] [-v] [-r]
[-i] [-o] [-n] [-u] [-V] [--quiet] [--stdout]
[--no-summary] [--tempdir TEMPDIR]
[--leave-temps LEAVE_TEMPS] [--include REGEX] [--include-dir REGEX]
[--exclude REGEX] [--exclude-dir REGEX] [--detect-pua STRING] [--scan-archive SCAN_ARCHIVE] [--max-filesize
INTEGER] [--max-files INTEGER]
[--max-recursion INTEGER] [file]
positional arguments:
file Input file
optional arguments:
-h, --help show this help message and exit
DIRECTORY Scan directory
-f FILELIST, --file-list FILELIST Scan files from FILE which includes files' full paths
-H FILEHASHLIST, --file-hash-list FILEHASHLIST Scan files from FILE which includes a hash list
--move DIRECTORY Move infected files into DIRECTORY (full path)
--copy DIRECTORY Copy infected files into DIRECTORY (full path)
--remove Remove infected files. Be careful!
--apikey APIKEY Api Key to be used by Valkyrie Verdict to authorize client to backend system
-l FILE, --log FILE Save scan report to FILE (full path)
--verbose Enable console prints
-r, --recursive Scan recursively
-i, --infected Only print / log infected files
-o, --suppress-ok-results Skip printing OK files
-n, --no-upload Do not upload unknown files for analysis
-u, --update Check previously uploaded files analysis results and update verdicts in scan report log
file
-V, --version show program's version number and exit
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--cloud-scan-disabled Cloud scan will be disabled, i.e. files will not be queried from Valkyrie Verdict
--no-summary Do not display summary at the end of scanning
--tempdir TEMPDIR Create temporary files in DIRECTORY.
--leave-temps LEAVE_TEMPS Temporary files state will be confirm trough users choice
--include REGEX Only scan file matching regular expression
--include-dir REGEX Only scan directory matching regular expression
--exclude REGEX Don't scan file names matching REGEX
--exclude-dir REGEX Don't scan directories matching REGEX
--detect-pua STRING Detect Potentially Unwanted Applications
--scan-archive SCAN_ARCHIVE Scan archives . If you turn off this option, the original files will still be
scanned, but without unpacking and additional processing.
--max-filesize INTEGER Extract and scan at most #n kilobytes from each archive,You may pass the value in
megabytes in format xM or xm, where x is a number
--max-files INTEGER Extract at most #n files from each scanned file (when this is an archive, a document or
another kind of container).
--max-recursion INTEGER Set archive recursion level limit. This option protects your system against DoS attacks (default: 5)
Scanning a Directory
In order to scan a directory and it’s all subdirectories execute following command (provide your Valkyrie Verdict API Key and any custom log file):
./vvcls <directory-to-scan>
Command-line scanner start scanning each file in given directory, log known Safe, Malware and PUA files. For unknown files, command-line scanner says Unknown as verdict and upload files to Valkyrie Verdict backend. You should see an output like following:
/home/valkyrie-verdict/test/ad9237fc41f32d0af8d60f21d2725e819cc3436a: MALWARE
/home/valkyrie-verdict/test/a38b2994ecdf7e215fe2e9c2c5d9822c42130d2c (24): MALWARE
/home/valkyrie-verdict/test/75806e5e2c70ef822325735cacbdb82396e81c75: MALWARE
/home/valkyrie-verdict/test/5be75b84d890e726107fbe8a010db3068c61d5a8: MALWARE
/home/valkyrie-verdict/test/9c022c27497902222ed782d5b43ba55a246ee152: MALWARE
----------- SCAN SUMMARY -----------
Known viruses: 298468652
Engine version: 1.3.0
Scanned directories: 1
Scanned files: 5
Infected files: 5
Data scanned: 2.7630000000000003 MB
Time: 10.75 sec
Scanning Single File
In order to scan a single file, execute following command (provide your Valkyrie Verdict API Key):
./vvcls FILE_PATH
SHA-256: f9ff064c8e9e49cc92b05c3117e795c15bf38bc1cfbe65ff2ab5b38e25cb702a
Download Verdict Linux CLS
Download v1.3.0SHA-256: b45a275a900ad993c949c240a765fa47d1bb952f818b6f33f44e5f7c968287a2
[1] Ali A. Selçuk, Fatih Orhan, Berker Batur, "Undecidable Problems in Malware Analysis", 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017.
Online version: https://comodemia.comodo.com/Undecidable_Problems_in_Malware_Analysis.pdf
[2] David Evans, "On the Impossibility of Virus Detection", 2017.
Online version: https://enterprise.comodo.com/whitepaper/Impossibility_of_Virus_Detection_WP.pdf
[3] Fred Cohen, “Computer viruses: theory and experiments”, Computers and Security, 6(1):22-35, 1987
[4] Fred Cohen, “Computational aspects of computer viruses”, Computers and Security, 8(4):325-344, 1989.