All Apps and Add-ons

Virustotal Checker --Getting an error code " ERROR "MissingSectionHeaderError at ""C:\Program Files\Splunk\etc\apps\virustotalchecker\bin\virustotalchecker.py"",

renjujacob88
Path Finder

Hi,

I'm a newbie to splunk and need your help here.
I have installed virustotal checker and ran a query to list down the hash value. But when running it im getting an error. PFB

My Query
INdex=AV | table dhost Message_id | vt field="Message_id" | table dhost Message_id vt_* .

Error message:

External search command 'vt' returned error code 1. Script output = " ERROR "MissingSectionHeaderError at ""C:\Program Files\Splunk\etc\apps\virustotalchecker\bin\virustotalchecker.py"", > line 92 : File contains no section >headers. file: C:\Program > Files\Splunk\etc/apps/virustotalchecker/local/vtc.conf, line: 1 '\xef\xbb\xbf\n'" "

Im not sure whether i have configured the virustotal cecker in right manner. Any help will be appreciated.

Tags (1)
0 Karma

dcottindustry
Explorer

I can't claim to be an expert in this, but I believe I found the issue. This most likely only occurs on Windows installations of Splunk.

When you set a proxy in the script it reads from apps\virustotalchecker\local\vtc.conf, the python script is expecting a section header of [settings] to be at the start of this file. However:

  • At the start of the file there is a new line (so the script doesn't find the section header);
  • The vtc.conf file is encoded with UTF-8 and the python script isn't decoding it;

These two reasons are why \xef\xbb\xbf\n is being returned to the script instead of [settings]

Doing the following fixed it for me:
1. Open the vtc.conf file in local;
2. Delete the newline at the start of the file, so [settings] is on line 1;
3. Change the encoding of the file to ANSI from UTF-8 (you can do this easily in Notepad++.

Hopefully the author will update the script to deal with this issue.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...