Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Sigcheck and VirusTotal InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sigcheck and VirusTotal

Published: 2015-07-17
Last Updated: 2015-07-20 09:05:42 UTC
by Didier Stevens (Version: 1)
6 comment(s)

Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at sigcheck.

Sigcheck is a command-line utility to check the digital signature of files like PE files (EXEs).

Sigcheck also supports VirusTotal searches. When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt):

You'll get the score and a link to the report for the checked file.

If a hash is not present in VirusTotal's database, the file will not be submitted, unless you use option -vs:

You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\), and you can produce a CSV report with option -c:

As can be seen from this last screenshot, files without digital signature are also checked with VirusTotal.

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

6 comment(s)
Diary Archives