VirusTotal limits when different Wazuh servers generate requests to the service from the same IP address

[d4rkrex]

Problem

When various Wazuh servers generate requests to the VirusTotal services from the same IP addresses and with different API keys, the services reach the limit with a single request. It is presumed that the IP addresses were banned.

VirusTotal support answer

Hello,
Those IPs have not been banned, but our anti-abuse systems detected anomalous activity, thousands of requests checking files report and not uploading any hash.
Do you have more information about the integration? Can you share screenshots?
Which VirusTotal information is provided to the end customers?
Best regards,

Information provided to VirusTotal

• Do you have more information about the integration? Can you share screenshots?
  Please find Virustotal integration here https://github.com/wazuh/wazuh/blob/master/integrations/virustotal

• Which VirusTotal information is provided to the end customers?
  Only need to provide their API key. Please find more information here >> https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/virus-total-integration.html

[d4rkrex]

Investigation:

Based on VirusTotal customer support response about MD5 hashes missing, we perform the following tasks:

• Inventory of environments with VirusTotal integration.
• Review de integration.log to find out any errors about MD5.

We didn't find md5-based errors on /var/ossec/logs/integrations.log or /var/ossec/logs/ossec.log but we found this and could be related to this problem.

2023/04/10 02:19:53 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf3 in position 1812: invalid continuation byte

The byte 0xf3 is in latin-1 encoding the ´ character