Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sigcheck and VirusTotal for Offline Machine - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sigcheck and VirusTotal for Offline Machine

In a diary entry I showed a great new feature of Sysinternals' sigcheck: integration with VirusTotal. This required the scanned machine to have Internet access. But in a follow-up diary entry I explained a work-around for machines without Internet access.

Mark brings us good news: the latest version of sigcheck (v2.42) can scan a machine without Internet access in 2 steps. First you scan the machine and save the results in a CSV file, and then you use sigcheck to query VirusTotal from another machine with Internet access.

Let me illustrate with a couple of screenshots.

First of all, just a simple check without VirusTotal:

Then we use option -h to calculate hashes:

And then we add option -c to create a CSV file:

Then we copy the CSV file to another machine with Internet access, and use option -o -v to query VirusTotal using the hashes stored in the CSV file:

This example is for one file. But of course, sigcheck can check many files if you point it to a folder and use option -s to recurse.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

DidierStevens

363 Posts
ISC Handler
Hiya,

thanks for this.

I am just wondering, wouldn't this be a violation of VirusTotal's ToS:


not to use the Services in any way that could directly or indirectly hinder the antivirus industry/URL scanner industry.


I understand, you are not a lawyer - neither I am.


Cheers

Thomas
Anonymous

Sign Up for Free or Log In to start participating in the conversation!