Sigcheck and VirusTotal for Offline Machine

Published: 2016-01-23. Last Updated: 2016-01-23 16:50:08 UTC
by Didier Stevens (Version: 1)
1 comment(s)

In a diary entry I showed a great new feature of Sysinternals' sigcheck: integration with VirusTotal. This required the scanned machine to have Internet access. But in a follow-up diary entry I explained a work-around for machines without Internet access.

Mark brings us good news: the latest version of sigcheck (v2.42) can scan a machine without Internet access in 2 steps. First you scan the machine and save the results in a CSV file, and then you use sigcheck to query VirusTotal from another machine with Internet access.

Let me illustrate with a couple of screenshots.

First of all, just a simple check without VirusTotal:

Then we use option -h to calculate hashes:

And then we add option -c to create a CSV file:

Then we copy the CSV file to another machine with Internet access, and use option -o -v to query VirusTotal using the hashes stored in the CSV file:

This example is for one file. But of course, sigcheck can check many files if you point it to a folder and use option -s to recurse.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

1 comment(s)

Comments

Hiya,

thanks for this.

I am just wondering, wouldn't this be a violation of VirusTotal's ToS:


not to use the Services in any way that could directly or indirectly hinder the antivirus industry/URL scanner industry.


I understand, you are not a lawyer - neither I am.


Cheers

Thomas

Diary Archives