Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-01-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sigcheck and VirusTotal for Offline Machine

Published: 2016-01-23
Last Updated: 2016-01-23 16:50:08 UTC
by Didier Stevens (Version: 1)
1 comment(s)

In a diary entry I showed a great new feature of Sysinternals' sigcheck: integration with VirusTotal. This required the scanned machine to have Internet access. But in a follow-up diary entry I explained a work-around for machines without Internet access.

Mark brings us good news: the latest version of sigcheck (v2.42) can scan a machine without Internet access in 2 steps. First you scan the machine and save the results in a CSV file, and then you use sigcheck to query VirusTotal from another machine with Internet access.

Let me illustrate with a couple of screenshots.

First of all, just a simple check without VirusTotal:

Then we use option -h to calculate hashes:

And then we add option -c to create a CSV file:

Then we copy the CSV file to another machine with Internet access, and use option -o -v to query VirusTotal using the hashes stored in the CSV file:

This example is for one file. But of course, sigcheck can check many files if you point it to a folder and use option -s to recurse.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

1 comment(s)
Diary Archives