Configuring VirusTotal

Enabling the VirusTotal API

Ghostwriter can use VirusTotal's API to look-up domain names in your Domain Library. If any domain name is linked to positive malware downloads or assigned an undesirable category, Ghostwriter will mark that domain has "Burned" with an explanation.

The blocklist is maintained inside of the module:

class DomainReview(object
« snip »
blocklist = [
"web ads/analytics",
"malicious sources/malnets",

By default, Ghostwriter will block users from checking-out and using domain names marked as burned. You can always review the status change and override it (change the status back to "Healthy") if you feel the domain is still safe to use.

If you do not have one, get a free API key from VirusTotal. The free version (VirusTotal Community / Public API) is limited to four requests per minute. Ghostwriter defaults to using a sleep time of 20 seconds.

If your organization has a premium API key (aka Premium API or Private API), you can change the sleep time to match the key's configured request rate.

VirusTotal Configuration