VirusTotal Scanning #4

New Issue

Open

opened 2026-01-19 18:28:36 +00:00 by michael · 7 comments

michael commented 2026-01-19 18:28:36 +00:00

Owner

Copy Link

Originally created by @Aetherinox on GitHub.

I've read over the docs, and I don't know why, but I can do every other action with this app. But for some reason, testing VirualTotal never works.

curl -X PUT --upload-file nhgbhhj https://x.domain.lan/test.txt/virustotal
invalid character '<' looking for beginning of value

And then transfer.sh logs returns a curl 500 error.

Just to eliminate something dumb, I even used the example straight out of the docs, and created a file named nhgbhhj; with text inside to ensure it wasn't trying to push an empty file.

If I add a / to the end of the URL, or change the capitalization, no error, but nothing posts or outputs

curl -X PUT --upload-file nhgbhhj https://x.domain.lan/test.txt/virustotal/

Any help would be awesome with this.

I found the log file, which outputs the following:

[transfer.sh] starting to listen on: :8080
[transfer.sh] ---------------------------
[transfer.sh] Submitting to VirusTotal: test.txt 5 
[transfer.sh] scanid: , resource: , permalink: , md5: 
[transfer.sh] "PUT /test.txt/virustotal HTTP/1.1" 500  "" "curl/7.81.0"
[transfer.sh] Submitting to VirusTotal: test.txt 5 
[transfer.sh] scanid: , resource: , permalink: , md5: 
[transfer.sh] "PUT /test.txt/virustotal HTTP/1.1" 500  "" "curl/7.81.0"
[transfer.sh] Error metadata: open /tmp/test.txt/virustotal.metadata: no such file or directory
[transfer.sh] "GET /test.txt/virustotal HTTP/1.1" 404  "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100211 Firefox/141.0"

But no matter what I do, I get the < error. And after looking online, it appears to be a GoLang JSON error.

---

After looking through the code, it appears to be coming from the Go package https://github.com/dutchcoders/go-virustotal via the line

	vt, err := virustotal.NewVirusTotal(s.VirusTotalKey)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
	}

The err is returning

%!s(<nil>)

Originally created by @Aetherinox on GitHub. I've read over the docs, and I don't know why, but I can do every other action with this app. But for some reason, testing VirualTotal never works. ```shell curl -X PUT --upload-file nhgbhhj https://x.domain.lan/test.txt/virustotal invalid character '<' looking for beginning of value ``` <br /> And then transfer.sh logs returns a curl 500 error. <br /> Just to eliminate something dumb, I even used the example straight out of the docs, and created a file named `nhgbhhj`; with text inside to ensure it wasn't trying to push an empty file. If I add a `/` to the end of the URL, or change the capitalization, no error, but nothing posts or outputs ```shell curl -X PUT --upload-file nhgbhhj https://x.domain.lan/test.txt/virustotal/ ``` Any help would be awesome with this. I found the log file, which outputs the following: ```console [transfer.sh] starting to listen on: :8080 [transfer.sh] --------------------------- [transfer.sh] Submitting to VirusTotal: test.txt 5 [transfer.sh] scanid: , resource: , permalink: , md5: [transfer.sh] "PUT /test.txt/virustotal HTTP/1.1" 500 "" "curl/7.81.0" [transfer.sh] Submitting to VirusTotal: test.txt 5 [transfer.sh] scanid: , resource: , permalink: , md5: [transfer.sh] "PUT /test.txt/virustotal HTTP/1.1" 500 "" "curl/7.81.0" [transfer.sh] Error metadata: open /tmp/test.txt/virustotal.metadata: no such file or directory [transfer.sh] "GET /test.txt/virustotal HTTP/1.1" 404 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100211 Firefox/141.0" ``` But no matter what I do, I get the `<` error. And after looking online, it appears to be a GoLang JSON error. <br /> --- <br /> After looking through the code, it appears to be coming from the Go package https://github.com/dutchcoders/go-virustotal via the line ```go vt, err := virustotal.NewVirusTotal(s.VirusTotalKey) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) } ``` The `err` is returning ``` %!s(<nil>) ```

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@Aetherinox commented on GitHub:

I've been tearing through the code. It's the damn hardcoded URL at

• 24cc8e6fa3/virustotal.go (L310)

It needs to be changed to https:

request, err := newfileUploadRequest("https://www.virustotal.com/vtapi/v2/file/scan", params, path, file)

Then if I run the virustotal vt.go module by itself, I finally get a response

# #
# go prints
# #

$ go run ./bin/vt.go \
   --apikey XXXX \
   --debug scan "test"

request %s &{POST https://www.virustotal.com/vtapi/v2/file/scan HTTP/1.1 1 1 map[Content-Type:[multipart/form-data; boundary=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]] {--XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="apikey"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
--XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream

helloworld
--XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX--
} 0xbbcc00 425 [] false www.virustotal.com map[] map[] <nil> map[]   <nil> <nil> <nil> {{}}}

Scan request successfully queued, come back later for the report
scanid: 936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af-1747725594, 
resource: 936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af, 
permalink: f-936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af-1747725594, 
md5: fc5e038d38a57032085441e7fe7010b0

Without the http -> https change, you just get

} 0x116cc00 425 [] false www.virustotal.com map[] map[] <nil> map[]   <nil> <nil> <nil> {{}}}
err %s <nil>
invalid character '<' looking for beginning of value
exit status 1

I then took the revised code in the go module, loaded it as a local package into transfer.sh, and I get a response

$ curl -X PUT --upload-file ./test http://127.0.0.1:8080/test/virustotal
f-9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08-1747726322

And VirusTotal reports back an increase in API usage

And transfer.sh logs outputs a 200 success

[transfer.sh] 127.0.0.1:60928 - - "PUT /test/virustotal HTTP/1.1" 200  "" "curl/8.10.1"

The question becomes, does anyone who is active have access to that repo to make the URL changes to push a PR. Obviously the snippet you pasted needs to be refactored to handle errors a bit better, but at least this allows VT to work in transfer.sh

There's two places where the URL needs adjusted.

• 24cc8e6fa3/virustotal.go (L259)
• 24cc8e6fa3/virustotal.go (L310)

@Aetherinox commented on GitHub: I've been tearing through the code. It's the damn hardcoded URL at - https://github.com/dutchcoders/go-virustotal/blob/24cc8e6fa329f020c70a3b32330b5743f1ba7971/virustotal.go#L310 It needs to be changed to `https`: ```go request, err := newfileUploadRequest("https://www.virustotal.com/vtapi/v2/file/scan", params, path, file) ``` Then if I run the virustotal `vt.go` module by itself, I finally get a response ```shell # # # go prints # # $ go run ./bin/vt.go \ --apikey XXXX \ --debug scan "test" request %s &{POST https://www.virustotal.com/vtapi/v2/file/scan HTTP/1.1 1 1 map[Content-Type:[multipart/form-data; boundary=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]] {--XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Content-Disposition: form-data; name="apikey" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Content-Disposition: form-data; name="file"; filename="test" Content-Type: application/octet-stream helloworld --XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-- } 0xbbcc00 425 [] false www.virustotal.com map[] map[] <nil> map[] <nil> <nil> <nil> {{}}} Scan request successfully queued, come back later for the report scanid: 936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af-1747725594, resource: 936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af, permalink: f-936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af-1747725594, md5: fc5e038d38a57032085441e7fe7010b0 ``` <br /> Without the `http -> https` change, you just get ``` } 0x116cc00 425 [] false www.virustotal.com map[] map[] <nil> map[] <nil> <nil> <nil> {{}}} err %s <nil> invalid character '<' looking for beginning of value exit status 1 ``` <br /> I then took the revised code in the go module, loaded it as a local package into transfer.sh, and I get a response ```shell $ curl -X PUT --upload-file ./test http://127.0.0.1:8080/test/virustotal f-9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08-1747726322 ``` <br /> And VirusTotal reports back an increase in API usage  <br /> And transfer.sh logs outputs a 200 success ``` [transfer.sh] 127.0.0.1:60928 - - "PUT /test/virustotal HTTP/1.1" 200 "" "curl/8.10.1" ``` <br /> The question becomes, does anyone who is active have access to that repo to make the URL changes to push a PR. Obviously the snippet you pasted needs to be refactored to handle errors a bit better, but at least this allows VT to work in transfer.sh There's two places where the URL needs adjusted. - https://github.com/dutchcoders/go-virustotal/blob/24cc8e6fa329f020c70a3b32330b5743f1ba7971/virustotal.go#L259 - https://github.com/dutchcoders/go-virustotal/blob/24cc8e6fa329f020c70a3b32330b5743f1ba7971/virustotal.go#L310

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

@Aetherinox , thank you very much for your investigation and I apologize for the lack of proper information in the documentation. I'd kindly ask you, if you'd the time to open a PR on https://github.com/dutchcoders/go-virustotal with your fixes.

I'm not sure I'm the maintainer of the repository, so if you'd be open to mantain your fork i would be more than glad to change the depedency on the main transfersh repo to your maintained version of go-virustotal

@paolafrancesca commented on GitHub: @Aetherinox , thank you very much for your investigation and I apologize for the lack of proper information in the documentation. I'd kindly ask you, if you'd the time to open a PR on https://github.com/dutchcoders/go-virustotal with your fixes. I'm not sure I'm the maintainer of the repository, so if you'd be open to mantain your fork i would be more than glad to change the depedency on the main transfersh repo to your maintained version of go-virustotal

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

hello @Aetherinox , i haven't used the virustotal endpoint in ages

i've checked what the dutchcoders go-virustotal package does: https://github.com/dutchcoders/go-virustotal/blob/master/virustotal.go#L305

at https://github.com/dutchcoders/go-virustotal/blob/master/virustotal.go#L349 an err might occur that is not returned, then the write can be actually closed with no error (https://github.com/dutchcoders/go-virustotal/blob/master/virustotal.go#L351) sending an empty mime part of the file part to the api

i checked the virustotal api: https://docs.virustotal.com/v2.0/reference/file-scan: do you see the curl code snippet? could you try to run it sending an empty file? i don't have an api key available at the moment.

please add -vvv to the curl request, share the full output from the command (eventually hiding sensitive data)

@paolafrancesca commented on GitHub: hello @Aetherinox , i haven't used the virustotal endpoint in ages i've checked what the dutchcoders go-virustotal package does: https://github.com/dutchcoders/go-virustotal/blob/master/virustotal.go#L305 at https://github.com/dutchcoders/go-virustotal/blob/master/virustotal.go#L349 an err might occur that is not returned, then the write can be actually closed with no error (https://github.com/dutchcoders/go-virustotal/blob/master/virustotal.go#L351) sending an empty mime part of the file part to the api i checked the virustotal api: https://docs.virustotal.com/v2.0/reference/file-scan: do you see the curl code snippet? could you try to run it sending an empty file? i don't have an api key available at the moment. please add `-vvv` to the curl request, share the full output from the command (eventually hiding sensitive data)

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@Aetherinox commented on GitHub:

Last part, and I'm done messing with this for now.

The README.md for transfer.sh and also missing the env definition for the VirusTotal API key. I had to go digging through the code to see what it was.

Without providing a VirusTotal API key to transfer.sh, you also get the same error

invalid character '<' looking for beginning of value

Readme just needs this addition:

Parameter	Description	Value	Env
virustotal-key	VirusTotal API key		VIRUSTOTAL_KEY

So until that error handling in the go module is fixed, that < error is just going to be a catch-all anytime it cannot talk to VirusTotal.

---

For the time being I'm using my own modified. And I'm going to look into refactoring that error so that it properly returns what the issue is

go.mod

	github.com/Aetherinox/go-virustotal v0.0.0-20250520084801-0eb8c8f901c8

go.sum

github.com/Aetherinox/go-virustotal v0.0.0-20250520084801-0eb8c8f901c8 h1:wEwYJxNLG29OesabDdAJWFBIO42HOL4x5kjvGuZLIyk=
github.com/Aetherinox/go-virustotal v0.0.0-20250520084801-0eb8c8f901c8/go.mod h1:myGG2GhfY2AgAPe8lFZw6Y1+IxhU+ED7ilotbpdQsDw=

/server/virustotal.go

import (
	"fmt"
	"net/http"

	"github.com/gorilla/mux"

	"github.com/Aetherinox/go-virustotal"
)

Here's the repo:

• https://github.com/Aetherinox/go-virustotal

@Aetherinox commented on GitHub: Last part, and I'm done messing with this for now. The README.md for transfer.sh and also missing the env definition for the VirusTotal API key. I had to go digging through the code to see what it was. Without providing a VirusTotal API key to transfer.sh, you also get the same error ``` invalid character '<' looking for beginning of value ``` <br /> Readme just needs this addition: | Parameter | Description | Value | Env | | --- | --- | --- | --- | | virustotal-key | VirusTotal API key | | VIRUSTOTAL_KEY | So until that error handling in the go module is fixed, that `<` error is just going to be a catch-all anytime it cannot talk to VirusTotal. --- For the time being I'm using my own modified. And I'm going to look into refactoring that error so that it properly returns what the issue is ### go.mod ``` github.com/Aetherinox/go-virustotal v0.0.0-20250520084801-0eb8c8f901c8 ``` ### go.sum ``` github.com/Aetherinox/go-virustotal v0.0.0-20250520084801-0eb8c8f901c8 h1:wEwYJxNLG29OesabDdAJWFBIO42HOL4x5kjvGuZLIyk= github.com/Aetherinox/go-virustotal v0.0.0-20250520084801-0eb8c8f901c8/go.mod h1:myGG2GhfY2AgAPe8lFZw6Y1+IxhU+ED7ilotbpdQsDw= ``` ### /server/virustotal.go ```go import ( "fmt" "net/http" "github.com/gorilla/mux" "github.com/Aetherinox/go-virustotal" ) ``` <br /> Here's the repo: - https://github.com/Aetherinox/go-virustotal

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@Aetherinox commented on GitHub:

Note

Skip to next message for solution

Alright, did a bunch of tests just to make sure that file could even be scanned at all by VT using normal curl. First I'll provide the "invalid file" tests, and then the successful.

Provided File Path, But Is Not Valid File

This attempt tries to pass a file which just doesn't exist at all /server/nhgbhhj222

$ curl -vvv --request POST --url "https://www.virustotal.com/vtapi/v2/file/scan" \
   --form "apikey=XXXXX" \
   --form "file=@\"/server/nhgbhhj222\""

curl: (26) Failed to open/read local data from file/application

File Exists, But Empty / 0 bytes

This attempt tries to pass a file which exists, but is empty / at zero bytes /server/nhgbhhjEmpty

$ curl -vvv --request POST --url "https://www.virustotal.com/vtapi/v2/file/scan" \
   --form "apikey=XXXXX" \
   --form "file=@\"/server/nhgbhhjEmpty\""

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 34.54.88.138:443...
* Connected to www.virustotal.com (34.54.88.138) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.virustotal.com
*  subjectAltName: host "www.virustotal.com" matched cert's "www.virustotal.com"
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x59a0b603eeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> POST /vtapi/v2/file/scan HTTP/2
> Host: www.virustotal.com
> user-agent: curl/7.81.0
> accept: */*
> content-length: 363
> content-type: multipart/form-data; boundary=------------------------fa10eb2cbef6f124
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* We are completely uploaded and fine
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< content-type: application/json
< vary: Accept-Encoding
< date: Tue, 20 May 2025 06:02:21 GMT
< server: Google Frontend
< content-length: 526
< via: 1.1 google
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):

{
  "md5": "ae2af1609316b6116bda14103afefa6f",
  "response_code": 1,
  "scan_id": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1747720519",
  "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
  "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "verbose_msg": "Scan request successfully queued, come back later for the report"
}

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Connection #0 to host www.virustotal.com left intact

Successful Valid File

This attempt passes a valid file with contents inside the file. /server/nhgbhh

$ curl -vvv --request POST --url "https://www.virustotal.com/vtapi/v2/file/scan" \
   --form "apikey=XXXXX" \
   --form "file=@\"/server/nhgbhhj\""

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 34.54.88.138:443...
* Connected to www.virustotal.com (34.54.88.138) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.virustotal.com
*  subjectAltName: host "www.virustotal.com" matched cert's "www.virustotal.com"
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x564451622eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> POST /vtapi/v2/file/scan HTTP/2
> Host: www.virustotal.com
> user-agent: curl/7.81.0
> accept: */*
> content-length: 368
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* We are completely uploaded and fine
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< content-type: application/json
< vary: Accept-Encoding
< date: Tue, 20 May 2025 05:58:35 GMT
< server: Google Frontend
< content-length: 526
< via: 1.1 google
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):

{
    "md5": "ae2af1609316b6116bda14103afefa6f",
    "response_code": 1,
    "scan_id": "3fd48de5c648bce27acaa6ddda51f35a0c69f07075ac472a4347c66502bb0d48-1747720715",
    "sha1": "66a597cd6e167f86791dcd1bfc951cc93e43eb87",
    "sha256": "3fd48de5c648bca17acaa6edda51f35a0c69f07075ac412a4347ca6502bb0d48",
    "verbose_msg": "Scan request successfully queued, come back later for the report"
}

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Connection #0 to host www.virustotal.com left intact

Another transfer.sh attempt

Since the file is seen by VirusTotal as fine, I tried to pass again to transfer.sh

curl -X PUT --upload-file nhgbhhj https://transfer.domain.lan/nhgbhhj/virustotal

invalid character '<' looking for beginning of value

Also tried --upload-file /server/nhgbhhj and ./nhgbhhj

and I also kept track of the API calls via VT before and after I used transfer.sh app; stayed at 0 requests, however, when using the curl method:

@Aetherinox commented on GitHub: > [!NOTE] > Skip to next message for solution <br /> Alright, did a bunch of tests just to make sure that file could even be scanned at all by VT using normal curl. First I'll provide the "invalid file" tests, and then the successful. ### Provided File Path, But Is Not Valid File This attempt tries to pass a file which just doesn't exist at all `/server/nhgbhhj222` ```shell $ curl -vvv --request POST --url "https://www.virustotal.com/vtapi/v2/file/scan" \ --form "apikey=XXXXX" \ --form "file=@\"/server/nhgbhhj222\"" curl: (26) Failed to open/read local data from file/application ``` <br /> ### File Exists, But Empty / 0 bytes This attempt tries to pass a file which exists, but is empty / at zero bytes `/server/nhgbhhjEmpty` ```shell $ curl -vvv --request POST --url "https://www.virustotal.com/vtapi/v2/file/scan" \ --form "apikey=XXXXX" \ --form "file=@\"/server/nhgbhhjEmpty\"" Note: Unnecessary use of -X or --request, POST is already inferred. * Trying 34.54.88.138:443... * Connected to www.virustotal.com (34.54.88.138) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=www.virustotal.com * subjectAltName: host "www.virustotal.com" matched cert's "www.virustotal.com" * issuer: C=US; O=Google Trust Services; CN=WR3 * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * Using Stream ID: 1 (easy handle 0x59a0b603eeb0) * TLSv1.2 (OUT), TLS header, Supplemental data (23): > POST /vtapi/v2/file/scan HTTP/2 > Host: www.virustotal.com > user-agent: curl/7.81.0 > accept: */* > content-length: 363 > content-type: multipart/form-data; boundary=------------------------fa10eb2cbef6f124 * TLSv1.2 (OUT), TLS header, Supplemental data (23): * We are completely uploaded and fine * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): < HTTP/2 200 < content-type: application/json < vary: Accept-Encoding < date: Tue, 20 May 2025 06:02:21 GMT < server: Google Frontend < content-length: 526 < via: 1.1 google < alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 < * TLSv1.2 (IN), TLS header, Supplemental data (23): { "md5": "ae2af1609316b6116bda14103afefa6f", "response_code": 1, "scan_id": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1747720519", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "verbose_msg": "Scan request successfully queued, come back later for the report" } * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * Connection #0 to host www.virustotal.com left intact ``` <br /> ### Successful Valid File This attempt passes a valid file with contents inside the file. `/server/nhgbhh` ```shell $ curl -vvv --request POST --url "https://www.virustotal.com/vtapi/v2/file/scan" \ --form "apikey=XXXXX" \ --form "file=@\"/server/nhgbhhj\"" Note: Unnecessary use of -X or --request, POST is already inferred. * Trying 34.54.88.138:443... * Connected to www.virustotal.com (34.54.88.138) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=www.virustotal.com * subjectAltName: host "www.virustotal.com" matched cert's "www.virustotal.com" * issuer: C=US; O=Google Trust Services; CN=WR3 * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * Using Stream ID: 1 (easy handle 0x564451622eb0) * TLSv1.2 (OUT), TLS header, Supplemental data (23): > POST /vtapi/v2/file/scan HTTP/2 > Host: www.virustotal.com > user-agent: curl/7.81.0 > accept: */* > content-length: 368 * TLSv1.2 (OUT), TLS header, Supplemental data (23): * We are completely uploaded and fine * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): < HTTP/2 200 < content-type: application/json < vary: Accept-Encoding < date: Tue, 20 May 2025 05:58:35 GMT < server: Google Frontend < content-length: 526 < via: 1.1 google < alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 < * TLSv1.2 (IN), TLS header, Supplemental data (23): { "md5": "ae2af1609316b6116bda14103afefa6f", "response_code": 1, "scan_id": "3fd48de5c648bce27acaa6ddda51f35a0c69f07075ac472a4347c66502bb0d48-1747720715", "sha1": "66a597cd6e167f86791dcd1bfc951cc93e43eb87", "sha256": "3fd48de5c648bca17acaa6edda51f35a0c69f07075ac412a4347ca6502bb0d48", "verbose_msg": "Scan request successfully queued, come back later for the report" } * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * Connection #0 to host www.virustotal.com left intact ```` <br /> ### Another transfer.sh attempt Since the file is seen by VirusTotal as fine, I tried to pass again to transfer.sh ```shell curl -X PUT --upload-file nhgbhhj https://transfer.domain.lan/nhgbhhj/virustotal invalid character '<' looking for beginning of value ``` Also tried `--upload-file /server/nhgbhhj` and `./nhgbhhj` <br /> and I also kept track of the API calls via VT before and after I used transfer.sh app; stayed at `0 requests`, however, when using the curl method: 

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@Aetherinox commented on GitHub:

Yeah I can do that. I updated a few things with the dependency because it appears there's no longer any work being done to it from the original developers.

But I'll prepare a PR.

There's a few other things in the go package that I want to address, but I wanted to see first if it would be useful before I start spending the time on it. But they're not breaking issues. Just needs better clarity for the end-user as the errors do not give details in the event of failures, which can be a pain for debugging.

@Aetherinox commented on GitHub: Yeah I can do that. I updated a few things with the dependency because it appears there's no longer any work being done to it from the original developers. But I'll prepare a PR. There's a few other things in the go package that I want to address, but I wanted to see first if it would be useful before I start spending the time on it. But they're not breaking issues. Just needs better clarity for the end-user as the errors do not give details in the event of failures, which can be a pain for debugging.

michael commented 2026-01-19 18:28:36 +00:00

Author

Owner

Copy Link

@Aetherinox commented on GitHub:

So you can pick which route you want to go. I submitted two PRs:

1. https://github.com/dutchcoders/transfer.sh/pull/657
2. https://github.com/dutchcoders/go-virustotal/pull/4

If you have contrib status on the VT go repo, you can just approve those changes. If not, I submitted a PR for this repo which switches the package over to mine, as well as updates the documentation to specify the Virtual Total API param / env var.

@Aetherinox commented on GitHub: So you can pick which route you want to go. I submitted two PRs: 1. https://github.com/dutchcoders/transfer.sh/pull/657 2. https://github.com/dutchcoders/go-virustotal/pull/4 <br /> If you have contrib status on the VT go repo, you can just approve those changes. If not, I submitted a PR for this repo which switches the package over to mine, as well as updates the documentation to specify the Virtual Total API param / env var.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/golang.org/x/net-0.38.0

revert-646-main

dependabot/go_modules/golang.org/x/oauth2-0.27.0

check-ci-20241026

aspacca-patch-1

seed-rand

fix-basic-auth

fix-header-map-change-after-writeheader-call

issue-503

issue-487

gpg-encryption-support

lint-accept-range

bump-min-go-version-and-include-tip

accept-range

local-google-fonts

parallel-range-requests

issue-485

sb/storj-bump

fix-perform-clamav-prescan

revert-389-clamav-prescan

clamav-prescan

changes-in-front-end

ISSUE-440

revert-422-main

master

golint

ISSUE-398

multiple-fixes

ISSUE-382-take2

ISSUE-382

fix-workflows

fixes-20210521

ISSUE-371

ISSUE-38-WEB

ISSUE-313

ISSUE-296

fuzz

BINARY-RELEASES

ISSUE-256

v1.6.1

v1.6.0

v1.5.0

v1.4.0

v1.3.1

v1.3.0

v1.2.6

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

Labels

Clear labels

bug

docker

enhancement

hacktoberfest

help wanted

invalid

question

storage provider

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#4