Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Sigcheck and VirusTotal SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sigcheck and VirusTotal

Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at sigcheck.

Sigcheck is a command-line utility to check the digital signature of files like PE files (EXEs).

Sigcheck also supports VirusTotal searches. When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt):

You'll get the score and a link to the report for the checked file.

If a hash is not present in VirusTotal's database, the file will not be submitted, unless you use option -vs:

You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\), and you can produce a CSV report with option -c:

As can be seen from this last screenshot, files without digital signature are also checked with VirusTotal.

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

481 Posts
ISC Handler
Jul 20th 2015
Great tip. Really enjoy the virus total diary entries.


Besides digital signatures, "sigcheck -h" can be used to compute MD5, SHA1 and SHA256 checksums.
A convenient feature for validating downloads.
Mike7

43 Posts
loving the virus total / sysinternals tips.
TuggDougins

37 Posts
" You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\)"

Is this safe and efficient, or is it going to wind up uploading all my documents and 800gb ISO files to VirusTotal,
or making a HTTP request for every file on my hard disk?

E.g. Is "scanning a complete disk" actually advisable?
Mysid

146 Posts
Like I wrote, there are no uploads unless you explicitly instruct this with option -vs
The example for the complete disk is without uploads.
DidierStevens

481 Posts
ISC Handler
Virustotal has a private API and operates a commercial (premium) service, so obviously this is not unlimited use. For corporate users, at what point does this become a TOS violation?
Derperson

2 Posts
Sigcheck uses VirusTotal's Public API, not the Private API.
DidierStevens

481 Posts
ISC Handler
My ip got blocked by virustotal while I was scanning my drive, any suggestions what I can do about it?
Anonymous
VirusTotal cannot block an IP address. A 3rd party tool could decide to block an IP addresses based on the information returned by the VirusTotal API.
Xme

556 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!