Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sigcheck and VirusTotal for Offline Machine SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sigcheck and VirusTotal for Offline Machine

In a diary entry I showed a great new feature of Sysinternals' sigcheck: integration with VirusTotal. This required the scanned machine to have Internet access. But in a follow-up diary entry I explained a work-around for machines without Internet access.

Mark brings us good news: the latest version of sigcheck (v2.42) can scan a machine without Internet access in 2 steps. First you scan the machine and save the results in a CSV file, and then you use sigcheck to query VirusTotal from another machine with Internet access.

Let me illustrate with a couple of screenshots.

First of all, just a simple check without VirusTotal:

Then we use option -h to calculate hashes:

And then we add option -c to create a CSV file:

Then we copy the CSV file to another machine with Internet access, and use option -o -v to query VirusTotal using the hashes stored in the CSV file:

This example is for one file. But of course, sigcheck can check many files if you point it to a folder and use option -s to recurse.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
IT Security consultant at Contraste Europe.


411 Posts
ISC Handler

thanks for this.

I am just wondering, wouldn't this be a violation of VirusTotal's ToS:

not to use the Services in any way that could directly or indirectly hinder the antivirus industry/URL scanner industry.

I understand, you are not a lawyer - neither I am.



Sign Up for Free or Log In to start participating in the conversation!