Shadowserver Binary Whitelisting Service

Published: 2010-08-13. Last Updated: 2010-08-13 21:55:21 UTC
by Guy Bruneau (Version: 1)
6 comment(s)

The Shadowserver Foundation has made available a new and free public service to test the MD5's or SHA1's of binaries to see if they are already a know set of software. The initial service is based on the lists from NIST but over time they plan to add other sources. The service is offered via HTTP and the responses via a JSON object.

The service can be accessed here.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: Whitelisting MD5 SHA1
6 comment(s)

Comments

I wonder if they could find benefit exchanging data with Virustotal.com or similar; by this point I'd imagine their catalogue of hashes for both good and bad files.

Russ

Aug 13th 2010
1 decade ago

...are extensive.

I was imagining the catalogue would be extensive.

Russ

Aug 13th 2010
1 decade ago

Russ, maybe I should have added that ISC offers a similar service http://isc.sans.edu/tools/hashsearch.html

Guy

Aug 14th 2010
1 decade ago

Any idea if they have manually stripped out the malicious files that are in the NSRL? Or has NIST started excluding non-known-good files in the NSRL?

jth

Aug 16th 2010
1 decade ago

For now, the list form NIST should only contain the known good files.

Guy

Aug 16th 2010
1 decade ago

The NIST database does include tools like nmap and nessus that may be considered hacker tools. It also only includes software distributed as CDs/DVDs which means that it doesn't cover patch levels if they are only distributed online.

We did extend our ISC database by some patch levels but need to add more.

Dr. J

Aug 17th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives