Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sigcheck and VirusTotal - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sigcheck and VirusTotal

Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at sigcheck.

Sigcheck is a command-line utility to check the digital signature of files like PE files (EXEs).

Sigcheck also supports VirusTotal searches. When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt):

You'll get the score and a link to the report for the checked file.

If a hash is not present in VirusTotal's database, the file will not be submitted, unless you use option -vs:

You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\), and you can produce a CSV report with option -c:

As can be seen from this last screenshot, files without digital signature are also checked with VirusTotal.

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

338 Posts
ISC Handler
Great tip. Really enjoy the virus total diary entries.


Besides digital signatures, "sigcheck -h" can be used to compute MD5, SHA1 and SHA256 checksums.
A convenient feature for validating downloads.
Mike7

42 Posts
loving the virus total / sysinternals tips.
TuggDougins

37 Posts
" You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\)"

Is this safe and efficient, or is it going to wind up uploading all my documents and 800gb ISO files to VirusTotal,
or making a HTTP request for every file on my hard disk?

E.g. Is "scanning a complete disk" actually advisable?
Mysid

146 Posts
Like I wrote, there are no uploads unless you explicitly instruct this with option -vs
The example for the complete disk is without uploads.
DidierStevens

338 Posts
ISC Handler
Virustotal has a private API and operates a commercial (premium) service, so obviously this is not unlimited use. For corporate users, at what point does this become a TOS violation?
Derperson

2 Posts
Sigcheck uses VirusTotal's Public API, not the Private API.
DidierStevens

338 Posts
ISC Handler
My ip got blocked by virustotal while I was scanning my drive, any suggestions what I can do about it?
Anonymous
VirusTotal cannot block an IP address. A 3rd party tool could decide to block an IP addresses based on the information returned by the VirusTotal API.
Xme

448 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!