Setting Up Integrations

Integrate VirusTotal with Your PhishER Platform

From the VirusTotal subtab of your PhishER Settings, you can configure the VirusTotal integration for your PhishER platform. VirusTotal is a service that uses over 70 antivirus scanners to inspect and analyze files for malicious content. To integrate your VirusTotal account with PhishER, you must have an active VirusTotal API key. If you do not have a VirusTotal account, you can join for free on VirusTotal's website.

Note: KnowBe4 has approval from VirusTotal to integrate with the VirusTotal Public API, which is free. The VirusTotal Public API is limited to 500 requests per day and four requests per minute when running a scan in your PhishER platform. For more information, see VirusTotal's VirusTotal API v3 Overview article.

Configuring the Integration

To configure the integration, fill out the fields on the VirusTotal subtab of your PhishER Settings. For more information, see the screenshot and list below:

  1. Disabled or Enabled: Use this toggle to disable or enable the integration.
  2. Enter your VirusTotal key: Enter your VirusTotal key in this field. For more information, see VirusTotal's Please give me an API key article.
  3. (Optional) VirusTotal Automatic Scanning: In this section, you can configure settings that allow VirusTotal to automatically scan parts of a message. To learn about these options, see the list below:
    • Automatically scan ALL Attachments (Hashes Only): If you select this check box, VirusTotal will receive a hash of all attachments in your PhishER Inbox.
    • Automatically scan ALL URLs: If you select this check box, VirusTotal will automatically be sent all URLs in your PhishER Inbox.
    • Timeout if no response (seconds): Enter a number of seconds to set a custom timeout period for your VirusTotal scan results. If VirusTotal does not return scan results within this timeout period, a VT_Bypassed tag will be applied to the corresponding message. By default, the timeout period is 120 seconds. To learn more about the tags that can be applied to the message, see the VirusTotal Tags section of this article.
  4. Ignored Domains: Enter the domains that you would like VirusTotal to ignore when running a scan. Enter each domain as a new line in the text box. If you add a domain to this list, any subdomains of that domain will be excluded as well. However, if you add a subdomain to the list, the domain will not be excluded. Wildcards (*) and Uniform Resource Identifiers (URIs) are not supported.
    Important:For a list of KnowBe4 domains that should not be sent as links or attachments to VirusTotal, see the Excluding KnowBe4 Domains from Scans section of this article.
  5. Save: Click this button to update your VirusTotal integration settings.

Scanning with VirusTotal

Once you integrate your VirusTotal account with your PhishER platform, you can run a VirusTotal scan on message attachments and URLs. To run a VirusTotal scan on a specific attachment or URL, click Scan with VirusTotal on the Message Details page.

You can also automatically run a VirusTotal scan against selected messages when you rerun your rules and actions. For more information about these options, see our How to Use Your PhishER Inbox article.

VirusTotal assigns one or more tags to your scanned messages to indicate the results of the analysis. To learn more about the tags that can be applied to messages, see the VirusTotal Tags section of this article.

Important: If you enable the settings in the VirusTotal Automatic Scanning section of your settings, VirusTotal will automatically receive a hash of all attachments or URLs in your PhishER Inbox. If you manually submit a file for a VirusTotal scan, the results will be shared publicly in the VirusTotal community to spread awareness of verified malicious content. This information is important to consider when running VirusTotal scans on attachments with sensitive information.

Excluding KnowBe4 Domains from Scans

KnowBe4 uses multiple domains that should not be sent as links or attachments to VirusTotal. You can enter these domains in the Ignored Domains field on the VirusTotal subtab of your PhishER Settings. For a full list of these domains, see the list below:

  • kb4.io
  • comano.us
  • magnetonics.com
  • bloemlight.com
  • instantrevert.net
  • phishing.guru
  • phishtrain.org
  • malwarebouncer.com
  • phish.farm
  • microransom.us
  • msftemail.com
  • compromisedblog.com
  • com-onlinebanking.com
  • com-token-auth.com
  • 2O2.lOl
  • protected-forms.com
  • cert-sha256.com
  • wishyoudidntclickthis.com
  • cert-sha256.co.uk
  • internalportal.net
  • twittermessage.net
  • my-cloud-mail.com
  • linkedlnu.com
  • farenheit.net
  • gooqleonline.com
  • donotreply.biz
  • aøl.com
  • exchamge.org
  • allibaba.org
  • voipmessage.uk
  • efaxonline.org
  • bltly.us
  • twittermessage.co.uk
  • www-com.co.uk
  • srvgov.com
  • gooqle.eu
  • allibaba.eu
  • yourgunnalovetraining.com
  • succesful.org

VirusTotal Tags

In the VirusTotal tags section of the VirusTotal subtab, you can view the tags that VirusTotal can attach to your messages after they are scanned. Based on the scan results, VirusTotal will apply one or more of the tags to your messages. To learn about the VirusTotal tags, see the list below:

  1. VT_Pending: This tag is attached to your message when a VirusTotal scan is queued. This tag will be removed when the scan is completed.
  2. VT_Bad: This tag is attached to your message when a VirusTotal scan determines that the attachment is malicious.
  3. VT_Scanned: This tag is attached to your message when a VirusTotal scan is completed and determined that the attachment is not malicious.
  4. VT_Bypassed: This tag is attached to your message when a VirusTotal scan times out. This tag is commonly attached with additional VirusTotal tags. You can set a custom timeout period under your VirusTotal Automatic Scanning settings.
    Note:If a VirusTotal timeout occurs, PhishER will still wait for your VirusTotal results to return. However, automated actions will not run against the item while VirusTotal scans it.
  5. VT_Hash_not_found: This tag is attached to your message when a VirusTotal scan doesn’t return a match for the hashed attachments.
  6. VT_Ignored: This tag is attached to your message when URLs or domains found on your whitelist are detected on a message.
Note: A message with multiple attachments can have multiple VT tags since some scans may finish at different times or have different results.

Can't find what you're looking for?

Contact Support