|
Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at sigcheck. Sigcheck is a command-line utility to check the digital signature of files like PE files (EXEs).
Sigcheck also supports VirusTotal searches. When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt):
You'll get the score and a link to the report for the checked file.
If a hash is not present in VirusTotal's database, the file will not be submitted, unless you use option -vs:
You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\), and you can produce a CSV report with option -c:
As can be seen from this last screenshot, files without digital signature are also checked with VirusTotal. Sysinternals: http://technet.microsoft.com/en-us/sysinternals VirusTotal: https://www.virustotal.com/ Didier Stevens |
DidierStevens 638 Posts ISC Handler Jul 20th 2015 |
| Thread locked Subscribe |
Jul 20th 2015 6 years ago |
|
Great tip. Really enjoy the virus total diary entries.
Besides digital signatures, "sigcheck -h" can be used to compute MD5, SHA1 and SHA256 checksums. A convenient feature for validating downloads. |
Mike7 43 Posts |
| Quote |
Jul 20th 2015 6 years ago |
|
loving the virus total / sysinternals tips.
|
TuggDougins 37 Posts |
| Quote |
Jul 20th 2015 6 years ago |
|
" You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\)"
Is this safe and efficient, or is it going to wind up uploading all my documents and 800gb ISO files to VirusTotal, or making a HTTP request for every file on my hard disk? E.g. Is "scanning a complete disk" actually advisable? |
Mysid 146 Posts |
| Quote |
Jul 20th 2015 6 years ago |
|
Like I wrote, there are no uploads unless you explicitly instruct this with option -vs
The example for the complete disk is without uploads. |
DidierStevens 638 Posts ISC Handler |
| Quote |
Jul 20th 2015 6 years ago |
|
Virustotal has a private API and operates a commercial (premium) service, so obviously this is not unlimited use. For corporate users, at what point does this become a TOS violation?
|
Derperson 2 Posts |
| Quote |
Aug 6th 2015 6 years ago |
|
Sigcheck uses VirusTotal's Public API, not the Private API.
|
DidierStevens 638 Posts ISC Handler |
| Quote |
Aug 6th 2015 6 years ago |
|
My ip got blocked by virustotal while I was scanning my drive, any suggestions what I can do about it?
|
Anonymous |
| Quote |
Jan 17th 2018 4 years ago |
|
VirusTotal cannot block an IP address. A 3rd party tool could decide to block an IP addresses based on the information returned by the VirusTotal API.
|
Xme 687 Posts ISC Handler |
| Quote |
Jan 18th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
