Search Form

Enter a sha1 or md5 hash, or a filename.
The search is not case sensitive.
The Malware search only works for md5 hashes at this point.

Current database size: 39,944,023 samples.

Summary

This page will search your for a hash in the NIST National Software reference Library for files matching your hash. The NSRL is a collection of hashes of "known" software. If you find a random file on your system, and are not sure if it is part of some software you installed, enter the hash here and see if we find it. The NSRL database may contain software that is considered "bad" in some environments. For example games and steganography software is included, as well as security software like nessus and nmap that is sometimes classified as a "hacking tool". Which software is appropriate for a given environment is a matter of policy.

We are using version 2.27 (December 2009). You can search for SHA1 or MD5 hashes. There are no Windows 7 hashes yet. NIST offers a Knoppix bootable CD that can be used to collect hashes. We are interested in adding more sources of hashes and would be interested in your hash collection if you have one to offer. Note: The NIST NSRL database only includes hashes of files from original install media. Currently, no patched versions are included. As a result, your hash may differ if that particular file was patched after the original release.

In addition to the NIST database, we also run a test against the Team Cymru Hash Registry. It covers malware. If a match is found we will post a link to the respective page at Threatexpert.com (only for MD5 hashes right now).

Additional Data
  • Windows XP SP3 x86
  • Windows XP SP3 x86 fully patched as of Feb 2010
  • Windows 7 64bit
  • Windows 7 64bit fully patched as of Feb 2010

DNS Interface

MD5 sums from the complete known database can now be queried via DNS. The zone is "md5.dshield.org" and the data is stored as TXT record. To query it via dig:

                  dig +short 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.org TXT
                  "cmd.exe | NIST"
                

Nothing is returned if the MD5 sum is not in the database. The returned string includes the file name, followed by a pipe character, and the data source (NIST or ISC).
Important: If you plan to automated this, please check this record before using the data: 'dig +short version.md5.dshield.org TXT'. The version will be incremented whenever the output format changes. Given that this is still experimental, we may change the output format without notice.

Other similar database:

Bit9 Fileadvisor (opens in new window)

Virus Total analyzes suspicious files and URLs (opens in new window)