Troubleshooting
When a large list of hashes is provided VTTL may delay for an extended period of time, eating CPU, before providing additional prompts. This is because it is sorting through vtlist.txt to ensure there is not a mix of domains/IP and hashes as these can't be combined in spreadsheet mode.
Another possibility is that a CSV file was provided to combine with. VTTL will index the CSV before begining lookups, which will take time. If it seems to be taking a long time then confirm that the CSV has both carriage return and line feed. Without both the script thinks the whole file is one line, which causes problems.
This behavior also occurs when using feeds, as those need to be loaded into memory for comparison. Loading large amounts of intel is slow, but scanning is typically fast once loaded. Feeds can be disabled via the INI settings:
MalwareFeed=False
AttackerFeed=False
MultiFeed=False
ProxyFeed=False
Adding URIs to the watchlist from intel feeds adds overhead if there are a lot of URIs. To disable set the following value in vttl.ini:
WatchIntelURLs=False
Ensure you have properly configured the fallback methods described in the Documentation.
When VTTL pulls items from local cache it may not delay/sleep in between each hash lookup. So if multiple hashes in a row are located within cache then VTTL will utilize CPU continuously until a hash is encountered that is not located within the cache.
The following error is displayed:
This can occur when the wrong path is specified for the database. If it is set to a hard coded path such as follows make sure the path exists:
database_location=c:\vttl\vttl.db
In the example above, if the folder c:\vttl does not exist the error will be generated as the database can't be created/accessed. Remove the folder path to have the database created in the current directory:
database_location=vttl.db
This can also occur when the SQLite driver is not properly installed. Open Control Panel > Administrative Tools > Data Sources (ODBC). Click the Drivers tab in the ODBC Data Source Administrator.
Ensure that the SQLite3 ODBC Driver shows up exactly as shown in the screenshot above. If it is missing the "3" after SQLite then you need to uninstall and reinstall the SQLite ODBC driver.