Feb 12 2020 01:46 AM
Hello
I was wondering if there is any chance of alerting when there is detection of malware in Virus Total but not ATP. Multiple times there have been malware executing with no detection in ATP but a high number of hits in VT (~50).
Is it possible to detect this with Advanced hunting? I was looking at the ActionType "Antivirusreport" but it does not mention VT.
Feb 26 2020 12:48 AM
@Victor5011 I don't think it's possible to detect it through an advanced hunting query. I've felt the same, virustotal does detect but MS doesn't.
You could probably use the MS Defender ATP API to fetch the SHA1, or an advanced hunting query, and then manually or by the virustotal API query it. However - it's a complex situation to get real alerts to act on of course.
I'm not that good at API's and so on, so that's out of my scope. But i suppose that this would work with some scripting/API knowledge, but here are some links:
https://support.virustotal.com/hc/en-us/articles/115002100149-API
Feb 26 2020 10:31 AM
Feb 21 2022 06:43 AM - last edited on Feb 24 2022 10:57 AM by Eric Starker
Feb 21 2022 06:43 AM - last edited on Feb 24 2022 10:57 AM by Eric Starker
You can use a casperjs script to automate checking the hashes.