{"id":28469615,"url":"https://github.com/net-zer0/git-malscan","last_synced_at":"2026-05-07T00:36:38.022Z","repository":{"id":297142339,"uuid":"995786034","full_name":"Net-Zer0/Git-MalScan","owner":"Net-Zer0","description":"An automatic RaspberryPi Github Malware scanner using, clamav and virus total. Saves malicious files to an external SSD with the source so you can report them to GitHub","archived":false,"fork":false,"pushed_at":"2025-06-04T03:12:42.000Z","size":127,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-04T09:18:00.492Z","etag":null,"topics":["clamav","cybersecuirty","linux","malware-analysis","malware-analyzer","malware-detection","malware-research","malware-scan","malware-scanner","malware-scanning","python-script","python3","raspberry-pi","raspberrypi","virustotal","virustotal-api"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Net-Zer0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-04T02:22:42.000Z","updated_at":"2025-06-04T03:39:26.000Z","dependencies_parsed_at":"2025-06-08T04:33:00.842Z","dependency_job_id":null,"html_url":"https://github.com/Net-Zer0/Git-MalScan","commit_stats":null,"previous_names":["net-zer0/malscan"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Net-Zer0/Git-MalScan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Net-Zer0%2FGit-MalScan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Net-Zer0%2FGit-MalScan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Net-Zer0%2FGit-MalScan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Net-Zer0%2FGit-MalScan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Net-Zer0","download_url":"https://codeload.github.com/Net-Zer0/Git-MalScan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Net-Zer0%2FGit-MalScan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271657465,"owners_count":24797933,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-22T02:00:08.480Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clamav","cybersecuirty","linux","malware-analysis","malware-analyzer","malware-detection","malware-research","malware-scan","malware-scanner","malware-scanning","python-script","python3","raspberry-pi","raspberrypi","virustotal","virustotal-api"],"created_at":"2025-06-07T09:08:04.477Z","updated_at":"2026-05-07T00:36:37.978Z","avatar_url":"https://github.com/Net-Zer0.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Git-MalScan\n![Alt text](Images/logo512.png)\n---\nA Python script to **automatically search GitHub for `.exe, .com, .pif, .msi, .scr, .bat, .cmd, .dll, .sys, .drv, .ocx, .vbs, .js, .ps1, .hta, .wsf, .lnk, .sh, .py, .zip, .rar, .7z, .tar, .gz, .iso, .docm, .xlsm, .pptm, .apk, .jar` files**, download them, and scan them for malware using [ClamAV](https://www.clamav.net/) and [VirusTotal](https://www.virustotal.com/). Results are logged and malicious files are saved for further analysis.\n---\nWhat malscan looks like while running with verbose:\n\n![Alt text](Images/UpdatedV3VT.png)\n\nWhat the folder output will look like:\n\n![Alt text](Images/FolderView.png)\n\nWhat the Malware Log will look like:\n\n![Alt text](Images/MalwareLog.png)\n\n---\n# MalScanV4.py uses ClamAV and Virus Total for detection\n# MalScanV4VT.py uses Virus Total Exclusively\n---\n\n## Features\n\n- Searches GitHub repositories for `.exe, .com, .pif, .msi, .scr, .bat, .cmd, .dll, .sys, .drv, .ocx, .vbs, .js, .ps1, .hta, .wsf, .lnk, .sh, .py, .zip, .rar, .7z, .tar, .gz, .iso, .docm, .xlsm, .pptm, .apk, .jar` files using the GitHub API.\n- Should Comply with API Limits for Virus Total.\n- Downloads and scans each file with ClamAV.\n- Then scans files with VirusTotal (API key required, respects rate limits).\n- Maintains blocklists to avoid reprocessing the same files or repositories.\n- Has extensive verbose mode, can choose wether you want to see the verbose when starting a scan.\n- Allows for setting recursive search depth\n- You can specify up to 30-100 for search query at the moment, however this searches three filters so you'll likely get around 300 repos to search\n- Allows for setting a keyword to search for, IE: Roblox Hacks, and it will filter only from this topic\n- Designed for use on a Raspberry Pi or Linux system with SSD storage.\n- Automatically installs missing Python dependencies.\n- Automatically logs the source address to a file inside a folder containing the binary, allows for easier reporting.\n---\n\n## Requirements\n\n- Python 3.7+\n- [ClamAV](https://www.clamav.net/) installed and available in your PATH\n- A [GitHub Personal Access Token](https://github.com/settings/tokens) with `repo` access\n- A [VirusTotal API key](https://www.virustotal.com/gui/join-us) (optional, but recommended)\n- Linux system (uses `/mnt/ssd` and `nice` command; adjust for other OSes as needed)\n\n---\n\n## Setup\n\n1. **Clone this repository or download the script:**\n\n    ```sh\n    git clone https://github.com/Net-Zer0/MalScan.git\n    cd malscan.py\n    ```\n\n2. **Install ClamAV:** -If you are using V3.1VT, you may skip this step!\n\n    ```sh\n    sudo apt update\n    sudo apt install clamav\n    ```\n\n3. **Edit the script:**\n\n    - Replace the `GITHUB_TOKEN` and `VT_API_KEY` variables at the top of the script with your own keys.\n    - You can create a token in the developer section of Githubs settings for your account, create a new personal one and copy that and use it in the script, However I must empathize you must never share this!!!\n\n4. **(Optional) Adjust directories:**\n\n    - By default, the script uses `/mnt/ssd` for storage and `/tmp/git_scan` for temporary files. Change these if needed.\n5. **(Non Optional) Adjustment to directories:**\n    - ALSO more importantly change the def mount portion `def mount_ssd():` where  `/dev/sda3` is defined, this needs to be set to your drive to work, IE: SSD or USB etc. using **lsblk** can find your mount point!\n    - ***THIS STEP IS CRUCIAL TO THE SCRIPT WORKING AND REQUIRES SOME KNOWLEDGE OF PYTHON!!!***\n\n6. **(Optional) Adjust the search query to include other file types**\n   `SEARCH_QUERY = \"extension:exe OR extension:dll OR extension:scr OR extension:bat OR extension:cmd OR extension:js OR extension:vbs OR extension:ps1 OR extension:msi OR extension:com OR extension:jar\"\nSEARCHES = [\n    {\"desc\": \"fewest stars\", \"sort\": \"stars\", \"order\": \"asc\"},\n    {\"desc\": \"newly indexed\", \"sort\": \"indexed\", \"order\": \"desc\"},\n    {\"desc\": \"recently updated\", \"sort\": \"updated\", \"order\": \"desc\"},\n]`\n- you can pretty much change or add any scannable file type to `extensions:X OR extension:X` meaning you can easily add more to the scope by tweaking it until I add more to the base script!\n---\n\n## Usage\n\nRun the script with Python 3:\n\n```sh\nsudo python3 MalScanV4.py or MalScan4VT.py\n```\n--- \n## Recommendations - For Running On PI or Linux SBC\nI would recommend if you are using Raspbian to use the 64bit version and run it in lite as we will be using the command line exclusively. I would also recommend if you want to run it for long periods of time to use `tmux new -s scan` or some other alternative like `screen` to keep the process running if you are using SSH, this will allow you to come back and reattach to the program when leaving it unattended if you do not have a monitor and keyboard to run it as it's own workstation. among other things I am investigating freezing issues with ClamAV on my 3B+, however I'm fairly certain this is due to undervoltage on my part. when I figure that out I may make ClamAV scan with more vigor, It will likely also work better on hardware that is not from 2018. At some point I will be upgrading to a RPI 5 to see if it runs better, If you are getting freezing issues I would recommend only running the VT only version for now.\n\n---\n## Future Updates!\n\n- To Be Determined!!!\n- Will add more features and functions to do with detection or extensions upon majority request!\n---\n## Version Changelog\n- V1 - inital iteration of MalScan\n- V2 \u0026 V2VT - added folders and sorting methods, new VT version for exclusively using virus totals API for slower hardware.\n- V3 \u0026 V3VT - added other extension to the scope of the search, ones commonly associated with malware.\n- V3.1 \u0026 V3.1VT - removed unused function for optimization and added more API error handling\n- V4 \u0026 V4VT - `.pif, .drv, .ocx, .sys, .hta, .wsf, .lnk, .sh, .py, .zip, .rar, .7z, .tar, .gz, .iso, .docm, .xlsm, .pptm, .apk` added to scan list\n---\n## Disclaimer\nGit-MalScan is provided for research and cybersecurity awareness purposes only. The authors and contributors are not responsible for any potential harm, system damage, data loss, or security breaches that may result from running this tool.\n- Users must exercise caution when scanning and handling binaries, as malware can pose significant risks.\n- Running Git-MalScan requires proper security measures, such as isolated environments, virtual machines, or dedicated analysis setups.\n- This tool does not guarantee complete or perfect malware detection and should not replace professional cybersecurity solutions.\nBy using Git-MalScan, you acknowledge and accept these risks and take full responsibility for its usage.\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnet-zer0%2Fgit-malscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnet-zer0%2Fgit-malscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnet-zer0%2Fgit-malscan/lists"}