This new version fixes a major issue related to FileInfo analyzer following the update of library dependencies. It also enhanced short reports for Virustotal analyzer in order to well distinguish short report from GetReport and Scan flavors.
FileInfo
TL;DR
- If you are a new user, you just have to follow installation instructions — git clone and install python libraries —
- If you are using FileInfo and have an error message telling ModuleNotFoundError: No module named ‘ExtractMsg’ while running this analyzer, you can fix it by running following command lines :
sudo -H pip3 uninstall extract-msg press y sudo -H pip2 uninstall extract-msg press y sudo -H pip2 install git+https://github.com/mattgwwalker/msg-extractor.git@v0.19 sudo -H pip3 install git+https://github.com/mattgwwalker/msg-extractor.git@v0.19
This will remove the latest version of msg-extractor library and install the last known working version with FileInfo analyzer.
Detailed information
To parse and analyze Outlook emails — msg files —, FileInfo analyzer uses a python library called msg-extractor written and published by @mattgwwalker. Few days ago, this library has been updated and includes some improvements that are not supported yet by FileInfo. Running this analyzer found in Cortex-Analyzer 1.14.3 and below with the latest version of the library will make your analyze never start and lead to the following error:
We are currently working on FileInfo analyzer to be able to use the latest version of this really useful library.
In the meantime, and as a workaround, we force the usage of the last working version which is v0.19 in requirements.txt file of the analyzer. So if you recently proceed to the installation, updated this library and facing the error message, this can be fixed with the following operation:
sudo -H pip3 uninstall extract-msg press y sudo -H pip2 uninstall extract-msg press y sudo -H pip2 install git+https://github.com/mattgwwalker/msg-extractor.git@v0.19 sudo -H pip3 install git+https://github.com/mattgwwalker/msg-extractor.git@v0.19
Virustotal short reports
In order to well distinguish short report from Virustotal Scan and Virustotal GetReport analyzers we update short reports. This will display and look like the following screenshot:
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 