Virustotal Error

[Gokul Suresh]

Hi Team,
I am seeing the given error in ossec.log:

2026/03/17 12:30:22 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/03/17 12:30:22 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/03/17 12:30:22 wazuh-integratord: ERROR: Exit status was: 1
2026/03/17 12:36:13 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/03/17 12:36:13 wazuh-integratord: ERROR: While running virustotal -> integrations. Output:   warnings.warn(
2026/03/17 12:36:13 wazuh-integratord: ERROR: Exit status was: 4

These are the logs in integrations.log:

/tmp/virustotal-1770089875--1574857747.alert e6e91485a4722337e38d467f5dace17b9749567b215a72e05295bbcc05466341
/tmp/virustotal-1770090014--169595504.alert e6e91485a4722337e38d467f5dace17b9749567b215a72e05295bbcc05466341
/tmp/virustotal-1770090153-76625409.alert e6e91485a4722337e38d467f5dace17b9749567b215a72e05295bbcc05466341
/tmp/virustotal-1770090292--1865276383.alert e6e91485a4722337e38d467f5dace17b9749567b215a72e05295bbcc05466341

Actually I am getting alerts related to virustotal. So  assume that the integration is working. But the errors in ossec.log is " ERROR: Unable to run integration for virustotal -> integrations".
I would like to know that does the error I get in ossec.log is related to the alerts I get in GUI. 
I can see many alerts as -  " VirusTotal: Error: Public API request rate limit reached" is related to error I get. I would like to get some help regarding fixing these errors.

[John Adewale Olatunde]

Hello Gokul

Exit code 4 ( ERR_NO_RESPONSE_VT) means there's a problem getting a response from Virustotal. In your case, this is related to rate limiting from the VirusTotal side. Please note that the VirusTotal Public API is limited to 500 requests per day and a rate of 4 requests per minute. To fix this, fine-tune your FIM configuration to just the files that need to be monitored with Virus Total. Another option is to get a private VirusTotal API. 

I hope this helps

[Gokul Suresh]

Hi John, thanks for the reply.

In the error I have give there is also " Exit status was: 1".
Does that indicate anything?

[John Adewale Olatunde]

Hello Gokul

I recommend you check this documentation about Virustotal integration working with FIM:
https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html?highlight=virustotal#use-case-scanning-a-file

The integration is triggered when a file is added/removed/edited in the directories monitored by syscheck. You will see in alerts.json a syscheck alert and then a Virustotal alert. 

To further troubleshoot the exit code 1, change the debug level for wazuh_modules.debug in the  /var/ossec/etc/internal_options.conf file to 2. e.g., wazuh_modules.debug=2 for modules.

After modifying the debug setting, restart the Wazuh manager to apply the changes:
`systemctl restart wazuh-manager`.

The /var/ossec/logs/ossec.log file will show debug information about the Virustotal module. You can filter for it with this command `grep virustotal /var/ossec/logs/ossec.log`

Another option is to troubleshoot VT connectivity using curl.

You can use a simple CURL command can be used to test connectivity and the VT API key.
curl https://www.virustotal.com/vtapi/v2/file/report -F resource=1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e -F apikey=<vt-api-key>

The parameter "resource=" can be changed to the SHA256 hash of any file in the Virus Total database.
The parameter "apikey=" needs to be a valid Virus Total API key.
If connectivity is present and the API key is valid, a file report will be returned in JSON format.
If the API key is invalid, VT will return no text at all.
If connectivity is problematic, CURL will return an error such as "curl: (7)" for a connection failure.
CURL status codes may be found here: https://curl.haxx.se/libcurl/c/libcurl-errors.html