Sigcheck and VirusTotal for Offline Machine
In a diary entry I showed a great new feature of Sysinternals' sigcheck: integration with VirusTotal. This required the scanned machine to have Internet access. But in a follow-up diary entry I explained a work-around for machines without Internet access.
Mark brings us good news: the latest version of sigcheck (v2.42) can scan a machine without Internet access in 2 steps. First you scan the machine and save the results in a CSV file, and then you use sigcheck to query VirusTotal from another machine with Internet access.
Let me illustrate with a couple of screenshots.
First of all, just a simple check without VirusTotal:
Then we use option -h to calculate hashes:
And then we add option -c to create a CSV file:
Then we copy the CSV file to another machine with Internet access, and use option -o -v to query VirusTotal using the hashes stored in the CSV file:
This example is for one file. But of course, sigcheck can check many files if you point it to a folder and use option -s to recurse.
Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.
Comments
thanks for this.
I am just wondering, wouldn't this be a violation of VirusTotal's ToS:
not to use the Services in any way that could directly or indirectly hinder the antivirus industry/URL scanner industry.
I understand, you are not a lawyer - neither I am.
Cheers
Thomas
Anonymous
Jan 25th 2016
8 years ago