Sigcheck and VirusTotal

Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at sigcheck.

Sigcheck is a command-line utility to check the digital signature of files like PE files (EXEs).

Sigcheck also supports VirusTotal searches. When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt):

You'll get the score and a link to the report for the checked file.

If a hash is not present in VirusTotal's database, the file will not be submitted, unless you use option -vs:

You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\), and you can produce a CSV report with option -c:

As can be seen from this last screenshot, files without digital signature are also checked with VirusTotal.



Didier Stevens
Microsoft MVP Consumer Security


677 Posts
ISC Handler
Jul 20th 2015
Great tip. Really enjoy the virus total diary entries.

Besides digital signatures, "sigcheck -h" can be used to compute MD5, SHA1 and SHA256 checksums.
A convenient feature for validating downloads.

43 Posts
loving the virus total / sysinternals tips.

37 Posts
" You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:\)"

Is this safe and efficient, or is it going to wind up uploading all my documents and 800gb ISO files to VirusTotal,
or making a HTTP request for every file on my hard disk?

E.g. Is "scanning a complete disk" actually advisable?

146 Posts
Like I wrote, there are no uploads unless you explicitly instruct this with option -vs
The example for the complete disk is without uploads.

677 Posts
ISC Handler
Virustotal has a private API and operates a commercial (premium) service, so obviously this is not unlimited use. For corporate users, at what point does this become a TOS violation?

2 Posts
Sigcheck uses VirusTotal's Public API, not the Private API.

677 Posts
ISC Handler
My ip got blocked by virustotal while I was scanning my drive, any suggestions what I can do about it?
VirusTotal cannot block an IP address. A 3rd party tool could decide to block an IP addresses based on the information returned by the VirusTotal API.

712 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!