Logging VirusTotal Package Scans to Slack

When I need to create or automate a process, I generally try not to reinvent the wheel unless absolutely necessary. So, when I was looking to automate running a set of AutoPkg recipes on a set interval, Rich Trouton’s autopkg-conductor turned out to be a perfect fit for my needs. You can read his full post about it on his blog here.

Now, AutoPkg by default includes a number of features to ensure the package you’ve grabbed is legitimate. That said, there’s still a small but real risk of malware hitching a ride alongside a legitimate package. Fortunately, there’s a great PostProcessor called VirusTotalAnalyzer to check for this. No solution is perfect, of course, but having all your packages run through VirusTotal adds another layer to your defense in depth strategy.

Rich’s autopkg-conductor has built-in support for posting details of new packages to Slack as they’re uploaded to Jamf Pro as part of a jss or jamf recipe. So, I made a slight modification to line 201 to add the VirusTotalAnalyzer PostProcessor:

/usr/local/bin/autopkg run --recipe-list=${recipe_list} --post=${slack_post_processor} --key ${slack_autopkg_processor_key}=${slack_webhook} --post "io.github.hjuutilainen.VirusTotalAnalyzer/VirusTotalAnalyzer" >> /tmp/autopkg.out 2>>/tmp/autopkg_error.out

You’ll notice there are a few more lines calling autopkg to run recipes in Rich’s script based on the results of some if statements. The line referenced above will be run when the script is configured to use the Slacker post-processor. If you want to have VirusTotalAnalyzer run under any conditions, you’ll want to add it to the autopkg lines in the other conditions.

autopkg-conductor generates logs in a specific format (autopkg-run-for-<<date>>), stored by default in ~/Library/Logs. Unfortunately, the output of any additional PostProcessors, while logged, are not picked up by the native Slack reporting. Enter virustotalLogger!

Provided a Slack webhook URL and log location, my script will detect the most recent run log, read any included VirusTotal results, and send them to the provided Slack webhook. I have it set to run immediately following autopkg-conductor. This is great for reporting, but has some drawbacks:

– By the time this script runs and reports scan results, the package has already been uploaded to your Jamf Pro instance.
– If you have further automation in place for package deployment, some devices may have already installed the new package.
– This is just straight reporting–no action is taken based on what VirusTotal reports. And, it relies on someone monitoring the Slack channel for reported VirusTotal detections.

Since originally creating virustotalLogger, I’ve migrated all of my jss recipes to use Graham Pugh’s jamf-upload instead. This allowed me to address all of the above drawbacks while still using the script to receive package scan results. I’ll be making a post on that later.

virustotalLogger can be found on my GitHub here.

Hello world!

Iโ€™ve been thinking of starting a blog for quite a while now. Looks like I finally did it!

Stuff will go here eventually. Stay tuned for ramblings on technology and occasionally personal endeavors.