Sigcheck and VirusTotal
Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at sigcheck.
Sigcheck is a command-line utility to check the digital signature of files like PE files (EXEs).
Sigcheck also supports VirusTotal searches. When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt):
You'll get the score and a link to the report for the checked file.
If a hash is not present in VirusTotal's database, the file will not be submitted, unless you use option -vs:
You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\), and you can produce a CSV report with option -c:
As can be seen from this last screenshot, files without digital signature are also checked with VirusTotal.
Sysinternals: http://technet.microsoft.com/en-us/sysinternals
VirusTotal: https://www.virustotal.com/
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
Autoruns and VirusTotal
Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at autoruns.
Autoruns is another fine Sysinternals tool that comes with VirusTotal integration. If you are not familiar with autoruns, it scans all auto-starting locations in Windows and provides a comprehensive report. This gives you an overview of all programs that start automatically on the scanned Windows machine.
When you start autoruns it will start scanning the Windows machine. Wait for the scan to terminate, or abort it with the Escape key.
Go to the scan options:
And enable "Check VirusTotal.com":
With this option, autoruns will only submit hashes to VirusTotal. If a file is not known by VirusTotal, you won't have a score. But if you enable "Submit Unknown Images" too, then autoruns will submit (upload) files that are not in VirusTotal's database, and you will have a score after VirusTotal finishes scanning the file (this takes a couple of minutes).
You have to agree to VirusTotal's terms of use to enable this feature:
Hashes will be submitted:
And soon you'll have the VirusTotal scores for known entries:
.png)
Sysinternals: http://technet.microsoft.com/en-us/sysinternals
VirusTotal: https://www.virustotal.com/
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
Process Explorer and VirusTotal
About a year ago, Rob had a diary entry about checking a file from Process Explorer with VirusTotal.
Did you know you can have all EXEs of running processes scanned with VirusTotal?
In Process Explorer, add column VirusTotal:
Enable VirusTotal checks:
And accept the VirusTotal terms:
(update: as you can see, by default Process Explorer only submits hashes to VirusTotal, not files, unless you explicitly instruct it to submit a file).
And now you can see the VirusTotal scores:
Process Explorer is not the only Sysinternals tool that comes with VirusTotal support. I'll showcase more tools in upcoming diary entries.
Sysinternals: http://technet.microsoft.com/en-us/sysinternals
VirusTotal: https://www.virustotal.com/
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago