Valkyrie Verdict Cross Platform Command-Line Scanner

One of the key benefits of Valkyrie Verdict is its ability to give a trusted verdict within 45 seconds on 92% of files (after automated analysis), and 4 hours on the remaining 8% (after human analysis). Our industry leading auto-analysis consists of several static and dynamic techniques, including state-of-the-art machine learning, precise detectors and dynamic behavior signatures.

Nevertheless, it is impossible to provide 100% threat visibility using automated techniques alone as many problems in malware analysis have been shown to be undecidable [1, 2]. Many of these results are based on the fact that precisely deciding whether a given program/input satisfies a certain post-condition, for an arbitrary post-condition, is undecidable. The proofs are based on two general techniques:

* Either they build a self-contradictory program assuming the existence of a decider for the given problem, similar to [3]

* They give a reduction from a well-known undecidable problem, such as the Halting Problem, similar to [4]

The 8% of unclassified files that require further testing are then analyzed by human experts who specialize in identifying complex and zero-day malware samples. Verdicts on these files are available to our users after 4-hours according to our SLA. Valkyrie customers can be confident that 100% of threats have been correctly identified after this 4 hour period. This isn’t some wild marketing claim - it is a scientific ‘100%’ built on the candid recognition that even the most advanced automatic tests available today cannot provide the correct verdict on all files. For those that remain, human analysis is absolutely essential. Users should always beware vendors that claim total protection based on automated mechanisms alone.

Customers who also use Comodo security solutions on their network are, of course, completely safe during this four-hour period. The 8% of unknown files will be isolated in a secure virtual container which cannot access other processes, system files or user data.

But what about using this great trusted malware detection service in your infrastructure? Now with VVCLS (Valkyrie Verdict Command-Line Scanner) you can scan any file / folder in your server, get latest analysis results of unknown files located in your environment. Moreover, by integrating scanner to other applications or processes, it is possible to develop any kind of next-generation verdicting application easily. VVCLS supports same command-line interface with popular open-source malware detection tool ClamAV, so it requires short amount of time to replace it with Valkyrie Verdict.

How it Works

Valkyrie Verdict Command Line Scanner is a cross-platform command-line executable that scan and analysis files seen in endpoints using Valkyrie Verdict. It supports several command line options to run and can use different configuration values through its configuration file. There is no installation of VVCLS in Linux / Windows environments and it is ready to be used via command line just our-of-box.

Supported Command-Line Options

VVCLS supports following options from command-line:

Option Shortcut Details Support Platforms
--help -h Print this help screen Linux, Windows
--version -V Print version number Linux, Windows
--verbose -v Be verbose Linux, Windows
--quiet Only output error messages Linux, Windows
--stdout Write to stdout instead of stderr Linux, Windows
--infected -i Only print infected files Linux, Windows
--suppress-ok-results -o Skip printing OK (Safe) files Linux, Windows
--no-summary Do not display summary at the end of scanning Linux, Windows
--log=FILE -l FILE Save scan report to FILE Linux, Windows
--recursive[=yes/no(*)] -r Scan sub-directories recursively Linux, Windows
--file-list=FILE -f FILE Scan files from FILE which includes files' full paths Linux, Windows
--file-hash-list=FILE -H HASH_LIST_FILE Scan files from FILE which includes a hash list Linux, Windows
--remove[=yes/no(*)] Remove infected files. Linux, Windows
--move=DIRECTORY Move infected files into DIRECTORY Linux, Windows
--copy=DIRECTORY Copy infected files into DIRECTORY Linux, Windows
--tempdir=DIRECTORY Create temporary files in DIRECTORY default DIRECTORY = /tmp/vvclsTemp Linux, Windows
--leave-temps=[=yes/no(*)] Do not remove temporary files Linux, Windows
--include=REGEX Only scan file names matching REGEX Linux, Windows
--include-dir=REGEX Only scan directories matching REGEX Linux, Windows
--exclude=REGEX Don't scan file names matching REGEX Linux, Windows
--exclude-dir=REGEX Don't scan directories matching REGEX Linux, Windows
--apikey APIKEY Valkyrie Verdict API Key Linux, Windows
DIRECTORY Scan directory Linux, Windows
--scan-archive[=yes(*)/no] Scan archive files (supported by vvcls) Linux, Windows
--max-filesize Maximum file size to scan in Kilobytes Linux, Windows
--max-files The maximum number of files to scan for each container file (**) Linux, Windows
--max-recursion Maximum archive recursion level for container file (**) Linux, Windows
--update -u Check previously Unknown files analysis results Linux, Windows
--no-upload -n Do not upload unknown files for analysis Linux, Windows
--cloud-scan-disabled Disables cloud scan. Linux, Windows

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside. The above options ensure safe processing of this kind of data.

File Verdicts

Command-line scanner prints following file querying and analysis results to console and log file with following format (space separated):

VVCLS [Log Level] File-path File-SHA1 Verdict

Possible Verdicts
Verdict Explanation
MALWARE File is malware
CLEAN File is Clean (Safe to execute)
PUA File is Potentially Unwanted Application
NOT-SUPPORTED File format is not supported by Valkyrie Verdict
UNKNOWN (In Analysis) File verdict is still Unknown and analysis is in progress
UNKNOWN File verdict is Unknown and no analysis is being performed
REQUEST-LIMIT-REACHED Your request limit for this API Key is reached in Valkyrie Verdict


Show Usage

In order to print usage of command line scanner execute following command:

./vvcls -h

You should see following help output:

usage: tool [-h] --apikey APIKEY [-d DIRECTORY] [-f FILELIST] [-H FILEHASHLIST] [--move DIRECTORY | --copy DIRECTORY | --remove]
[--cloud-scan-disabled] [-l FILE] [-v] [-r] [-i] [-o] [-n] [-u] [-V] [--quiet] [--stdout]
[--no-summary] [--tempdir TEMPDIR] [--leave-temps LEAVE_TEMPS] [--include REGEX] [--include-dir REGEX] [--exclude REGEX] [--exclude-dir REGEX] [--detect-pua STRING] [--scan-archive SCAN_ARCHIVE] [--max-filesize INTEGER] [--max-files INTEGER]
[--max-recursion INTEGER] [file]

positional arguments:
file Input file
optional arguments:
-h, --help show this help message and exit
DIRECTORY Scan directory
-f FILELIST, --file-list FILELIST Scan files from FILE which includes files' full paths
-H FILEHASHLIST, --file-hash-list FILEHASHLIST Scan files from FILE which includes a hash list
--move DIRECTORY Move infected files into DIRECTORY (full path)
--copy DIRECTORY Copy infected files into DIRECTORY (full path)
--remove Remove infected files. Be careful!
--apikey APIKEY Api Key to be used by Valkyrie Verdict to authorize client to backend system
-l FILE, --log FILE Save scan report to FILE (full path)
--verbose Enable console prints
-r, --recursive Scan recursively
-i, --infected Only print / log infected files
-o, --suppress-ok-results Skip printing OK files
-n, --no-upload Do not upload unknown files for analysis
-u, --update Check previously uploaded files analysis results and update verdicts in scan report log file
-V, --version show program's version number and exit
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--cloud-scan-disabled Cloud scan will be disabled, i.e. files will not be queried from Valkyrie Verdict
--no-summary Do not display summary at the end of scanning
--tempdir TEMPDIR Create temporary files in DIRECTORY.
--leave-temps LEAVE_TEMPS Temporary files state will be confirm trough users choice
--include REGEX Only scan file matching regular expression
--include-dir REGEX Only scan directory matching regular expression
--exclude REGEX Don't scan file names matching REGEX
--exclude-dir REGEX Don't scan directories matching REGEX
--detect-pua STRING Detect Potentially Unwanted Applications
--scan-archive SCAN_ARCHIVE Scan archives . If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
--max-filesize INTEGER Extract and scan at most #n kilobytes from each archive,You may pass the value in megabytes in format xM or xm, where x is a number
--max-files INTEGER Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container).
--max-recursion INTEGER Set archive recursion level limit. This option protects your system against DoS attacks (default: 5)

Scanning a Directory

In order to scan a directory and it’s all subdirectories execute following command (provide your Valkyrie Verdict API Key and any custom log file):

./vvcls <directory-to-scan>

Command-line scanner start scanning each file in given directory, log known Safe, Malware and PUA files. For unknown files, command-line scanner says Unknown as verdict and upload files to Valkyrie Verdict backend. You should see an output like following:

/home/valkyrie-verdict/test/ad9237fc41f32d0af8d60f21d2725e819cc3436a: MALWARE
/home/valkyrie-verdict/test/a38b2994ecdf7e215fe2e9c2c5d9822c42130d2c (24): MALWARE
/home/valkyrie-verdict/test/75806e5e2c70ef822325735cacbdb82396e81c75: MALWARE
/home/valkyrie-verdict/test/5be75b84d890e726107fbe8a010db3068c61d5a8: MALWARE
/home/valkyrie-verdict/test/9c022c27497902222ed782d5b43ba55a246ee152: MALWARE

----------- SCAN SUMMARY -----------
Known viruses: 298468652
Engine version: 1.3.0
Scanned directories: 1
Scanned files: 5
Infected files: 5
Data scanned: 2.7630000000000003 MB
Time: 10.75 sec

Scanning Single File

In order to scan a single file, execute following command (provide your Valkyrie Verdict API Key):

./vvcls FILE_PATH

SHA-256: f9ff064c8e9e49cc92b05c3117e795c15bf38bc1cfbe65ff2ab5b38e25cb702a

Download Verdict Linux CLS

Download v1.3.0

SHA-256: b45a275a900ad993c949c240a765fa47d1bb952f818b6f33f44e5f7c968287a2

[1] Ali A. Selçuk, Fatih Orhan, Berker Batur, "Undecidable Problems in Malware Analysis", 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017.

Online version:

[2] David Evans, "On the Impossibility of Virus Detection", 2017.

Online version:

[3] Fred Cohen, “Computer viruses: theory and experiments”, Computers and Security, 6(1):22-35, 1987

[4] Fred Cohen, “Computational aspects of computer viruses”, Computers and Security, 8(4):325-344, 1989.