Online VirusTotal hash checker

[Melf]

I've tried VirusTotal's uploader app recently. It seems to work as follows:

1) Calculate hash and compare to database. Do not even calculate hash if the file is >20 MB (weird).
2) If this hash exists in the database, get previously measured vendor results for that file
3) If no match, upload the file (<20 MB).

This behaviour kind of bothers me because
1) I don't know why it refuses even to hash files >20 MB. I've tried MultiHasher and even though it uses VirusTotal too, it will calculate the hash on any file. But MultiHasher's VirusTotal query function is buried several clicks away.
2) It defaults to uploading the file if there's no match, and I can't disable this behaviour. I don't want it to check vs behaviour blockers etc, I just want to know if the file's been seen before.

So I'm wondering if anyone knows a super convenient (minimal clicks) way to compute a file's hash and query VirusTotal, regardless of file size, without bothering to upload it.

[kareldjag]

hi,

Maybe VT Hash Check http://www.boredomsoft.org/vt-hash-check.bs
Various ressources that could help as there is no solution for each one of us

UVK tools from the Ultra Virus Killer team http://www.carifred.com/uvk/help/uvk_tools.htm
VT extension https://www.virustotal.com/documenta...er-extensions/
FileAdvisor from Bit9 http://fileadvisor.bit9.com/services/help.aspx
Didier Stevens VT search tool http://blog.didierstevens.com/2012/0...th-virustotal/
Team Cynru tools and service https://addons.mozilla.org/en-US/fir...am-cymrus-mhr/

Online services
http://www.malwarehash.com/ explained here http://www.digitaloffensive.com/2010...ng-md5-hashes/
https://hash.cymru.com/
https://www.vicheck.ca/md5query.php
https://isc.sans.edu/tools/hashsearch.html
ETC
As Virus Total API is public, there is some scripts available like D.stevens one, and anyone can build his own tool.
In an other way, there is online Malware database with or without registration that could help, but their links are out of this boad T.O.S

rgds

[Melf]

Wow! Your powers of Google-fu far exceed my own...

I tried VT Hash Check, quite nice. Minimum number of clicks, doesn't need to open the browser for condensed report.

If I try and upload a larger file it tells me that the file won't be in the VT database because it's too large. So I guess the file size thing must be a limitation with VT itself. Seems strange, I assumed that they just ask each vendor if the hash has been encountered. Seems like no reason to limit the file size :S

Now that you've solved my initial problem - are there alternatives to VT that use hashing but don't have file size limits?

[Brummelchen]

VT limits are 20meg - for reason - so why complaining they dont accept hashes from files which exceed this limit cause they never have tested those?

you should be conscious that VT is an online service so anyone has to upload and they to check it out. maybe in future they offer more but for now is done.

you can try jotti but their limit is 25mb not much more.
http://virusscan.jotti.org/de

in any other case you have the option to use any on-demand scanner you like to - included boot media.

[BoerenkoolMetWorst]

VT had a limit of 20MB in the past, with their site make-over they raised the limit to 32MB if I'm correct.

[Melf]

Quote:

Originally Posted by Brummelchen

VT limits are 20meg - for reason - so why complaining they dont accept hashes from files which exceed this limit cause they never have tested those?

A hash is the same size regardless of the size of the original file. Anti-virus software scans files of all sizes and store the results in their databases together with the hash. So a service that queries the databases of anti-virus vendors should have no limit to file size.

Quote:

Originally Posted by Brummelchen

in any other case you have the option to use any on-demand scanner you like to - included boot media.

I don't want to rely on a single database, I want to use them all!

[Ranget]

Quote:

http://www.boredomsoft.org/vt-hash-check.bs

btw this product devoloper can be found On Bleepingcomputer if you have any further question ask there

[Brummelchen]

is using VT

Quote:

VT Hash Check adds a Windows Explorer context menu item to compute the MD5 or SHA1 hash checksum of any file and to then send that checksum to http://www.virustotal.com for checking against their Virus database.

Quote:

I want to use them all!

waste of time - all have some limits - and VT and jotti have already the most engines of all.
just believe - what you want is not present actually - you have to do it on your own.

[kareldjag]

hi
Euh...there is no thanks to Google here...i play with malwares since 2004 and i need to be up to date about the latest threats (malwares/attacks) and defense.
Metascan can upload much more than VT and Jotti http://www.metascan-online.com/
And for a few dollars more , anyone can build his own VirusTotal on his LAN
http://www.opswat.com/buy/multi-scanning
The recent Flame collision attack has shown that MD5 is vulnerable.
And even if it is not a dead end, malware pattern matching needs perhaps to be seen under another angle (as for forensic databases (like NSRL http://www.nsrl.nist.gov/index.html ).

Brumelchen last remark is true, and by experience, anyone needs to know that when dealing with malwares, trust first in your skill, more than in your tools...

Rgds

[kareldjag]

hi
A recent local VirusTotalScanner tool http://www.softpedia.com/get/Securit...lScanner.shtml
Currently can not scan locally on my Win64 system.

rgds

[Dermot7]

Quote:

Originally Posted by kareldjag

hi
A recent local VirusTotalScanner tool http://www.softpedia.com/get/Securit...lScanner.shtml
Currently can not scan locally on my Win64 system.

rgds

I saw this also on Majorgeeks yesterday, and downloaded (from author's site) to take a look.
Scanning file with Emsisoft AM gave detection: https://www.emsisoft.com/en/malware/?Trojan.Win32.SecurityXploded.AMN!E1
On Jotti 2 detections (ESET & Emsisoft again): http://virusscan.jotti.org/en/scanre...000819fa553e1b
On OPSWAT Metascan 2 detections (AVG & Emsi but not ESET): http://www.metascan-online.com/resul...i2qu5ioh73hl20
Couldn't upload to VT at the time, but my question is what behaviour or characteristics of the file should ellicit this response from some AV engines, but not others? Is it a matter of personal preference what warnings to heed in this case, and does it just come down to whether you trust the developer or not?

[Melf]

Quote:

Originally Posted by kareldjag

hi
Euh...there is no thanks to Google here...i play with malwares since 2004 and i need to be up to date about the latest threats (malwares/attacks) and defense.
Metascan can upload much more than VT and Jotti http://www.metascan-online.com/
And for a few dollars more , anyone can build his own VirusTotal on his LAN
http://www.opswat.com/buy/multi-scanning
The recent Flame collision attack has shown that MD5 is vulnerable.
And even if it is not a dead end, malware pattern matching needs perhaps to be seen under another angle (as for forensic databases (like NSRL http://www.nsrl.nist.gov/index.html ).

Brumelchen last remark is true, and by experience, anyone needs to know that when dealing with malwares, trust first in your skill, more than in your tools...

Rgds

Thanks for the further links. Seems this problem is not solvable at the moment unless I want to pay several thousand dollars a year to set up my own

So, I had though that VT simply compares the hashes it is given to the hashes of virus definitions from each of the major AV companies.

But from what I am reading here I fear that VT only "knows" about malware that has been uploaded to their servers, which they then test against each AV and report the pass/fail (storing the result for later queries). Is this true??

To be more clear, consider an example:
An AV vendor, let's say Kaspersky, has a definition for some malware sample sitting in its database. But the malware has not previously been uploaded to VirusTotal. I download this sample, compute the hash, and upload the hash to VirusTotal.
Will VirusTotal report a hit from Kaspersky?
I am assuming that the answer is no, but that the answer would be yes if I had uploaded the file.

If this is the case, the hash solution is pretty useless, because not that many people use VirusTotal.

[Boredomsoft]

Quote:

Originally Posted by Melf

I tried VT Hash Check, quite nice.

Glad you like it I'm always looking for suggestions, btw.

Quote:

Originally Posted by Melf

If I try and upload a larger file it tells me that the file won't be in the VT database because it's too large. So I guess the file size thing must be a limitation with VT itself. Seems strange, I assumed that they just ask each vendor if the hash has been encountered. Seems like no reason to limit the file size :S

Right. Previously, Virus Total had a limit of 20MB. The current limit is 32MB. The limits are for entirely practical reasons: in order for Virus Total (or similar services) to have a record of a file they actually have to have a copy of it. The only way for them to get a copy is for users to upload one. Upload bandwidth and server disk space isn't free ($$) and most true malware (with exceptions) will weigh in at considerably less than 20-32MB, so this limitation isn't as limiting as it might seem. Most tools that interface with VT won't even bother to hash larger files, as you have found.

Quote:

Originally Posted by Melf

So, I had though that VT simply compares the hashes it is given to the hashes of virus definitions from each of the major AV companies.

What they do is actually run the scanner against the uploaded file. The scan report is then filed under the hash so that anyone else with the same file can find the report even if the files have different names. If a file gets uploaded and there's disagreement among the scanners then the scanner developers can grab the file and figure who's right and who's wrong, thereby improving all the supported scanners.

Quote:

Originally Posted by Melf

are there alternatives to VT that use hashing but don't have file size limits?

Not really, no. If all you're interested is the hash then there are a number of tools, however. I recommend HashTab.

Quote:

Originally Posted by Ranget

btw this product devoloper can be found On Bleepingcomputer if you have any further question ask there

Hi ranget!

[kareldjag]

hi

Another VT tool, Hyperball
http://www.sphynxsoft.com/products/hyperball/
The forensic features are very limited and already covered by many more complete tools.

Rgds

[Kees1958]

Quote:

Originally Posted by kareldjag

hi
Euh...there is no thanks to Google here...i play with malwares since 2004 and i need to be up to date about the latest threats (malwares/attacks) and defense.
Rgds

Before Matousec started to test firewalls on their HIPS capabilities, you were testing HIPS on their HIPS capabilities
I allways found your (security overflow) blogs/test very informative. Merci Beaucoup