VirusTotal integration

File reputation uses the VirusTotal API v3 from Lambda, with optional DynamoDB caching to respect rate limits.

Requirements

1. API key — VIRUSTOTAL_API_KEY on the Lambda function.
2. Route — GET /events/{eventId}/virustotal on API Gateway with CORS (OPTIONS + GET).
3. Script — backend/setup-api-gateway-virustotal.ps1 (and JSON helpers for OPTIONS).
4. Cache table — e.g. edr-virustotal-cache with partition key hash (string).

Full steps: backend/VIRUSTOTAL_SETUP.md in the repository.