checksum questions

Discussion in 'privacy general' started by iceni60, Aug 27, 2004.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    hello :) i recently DLed hashcal after reading this thread.
    in post 9. it appears that peakaboo had the checksum before the download. how do you do that?
    also, i have kerio's MD5 checker, would that mean that im fairy safe and dont really need to use hashcal?
    and, one more question, could you point me in the right direction to read-up on this subject?
    thank you :)
  2. FanJ

    FanJ Guest


    You can find some Checksum-tools here at the List of Lists:

    I would certainly advice also to have a look at CryptoSuite from DiamondSC !

    I don't have Kerio.

    But in general : there are differences in the way Checksums are used:

    You download a file from a website.
    That website gives the checksum of that file and the HASH algorithm used to calculate that checksum.
    Now you want to verify whether the file that you have downloaded, has the same checksum as mentioned on that site.
    So you need a simply utility to do that for you. It calculates that checksum (of course it has use the same HASH algorithm as used on that website!!!).
    Usually the HASH algorithm used for this, is MD5.
    It is easy if your Checksum utility has the option to put it in the right-click-context-menu of Windows Explorer.

    Now about your firewall (Kerio in your case).
    This is a completely different situation.
    Most modern firewalls has this ability.
    What it does, is:
    It checks whether a program that you have allowed to get access to the internet, has been changed.
    It does this automatically by calculating its checksum (usually using the MD5 HASH algorithm) and comparing that checksum to the one your firewall previously calculated for that program.
    If those checksums are not the same, then there is certainly reason to be worried (unless the program was legitimate upgraded of course). Your firewall will alert you about this. It could be that you have a Trojan on your system. So you have to check by all kind of ways (AV/AT/Anti-spyware, etc) what has happened.
    As you see, this is a completely different use of checksum-checking.

    And here comes another way for using checksums:
    It is another layer of your security set-up.
    First some examples:
    - FileChecker from Javacool.
    - NIS File Check (see the now archieved forum at the bottom of the Wilders-forum).
    - Inspector in KAV Personal Pro.
    - ADInf32 (pro) from the same company that makes the AV Dr.Web.
    What do these programs?
    They make a database (each in their own way) of files on your system with their checksum.
    You can run them frequently to see whether a file has been changed.
    It is always up to you to decide whether such a change is legitimate or not.
    But it is most definitely a great other layer to your security.
    Of course there are all kind of differences between those programs.

    And again another way to use checksums:
    Now we are talking about great security programs like for example ProcessGuard from DiamondCS.
    It adds most definitely a very great amount of security to your system.
    I would like to point to the PG-forum here at Wilders, and to its site:
    (Other people use for example SSM or TineTrojanTrap).

    I hope this all helps you a little bit ;)
    Cheers, Jan.
  3. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    thank you very much for taking the time to help, FanJ. lots of infomation to take in :) . but, say i want to download here i dont understand where the checksum is, so how do i check to see if the downloaded file has the correct checksum after the download is complete? this is the way i understand it
    • before downloading, you take the checksum
    • after downloading you check to see if they have the same checksum
    also, have you, or anyone used HashCalc?

    Major features:

    * Support of 12 well-known and documented hash and checksum algorithms: MD2, MD4, MD5, SHA-1, SHA-2( 256, 384, 512), RIPEMD-160, PANAMA, TIGER, ADLER32, CRC32.
    * Support of a custom hash algorithm (MD4-based) used in eDonkey and eMule applications. (New in Version 2.0)
    * Support of 2 modes of calculations: HASH/CHECKSUM and HMAC.
    * Support of 3 input data formats: files, text strings and hex strings.
    * Work with large size files. (Tested on files with size up to 15 GB.).
    * Support of files drag-and-drop functionality.
    * Quick and simple installation.
    thank you :)
  4. FanJ

    FanJ Guest

    Hi iceni60,

    I had a quick look there.
    I didn't seem to see a checksum mentioned there (nor with which algorithm it was calculated).
    So there is no way to check it !!!

    It is the website that tells you the checksum of a file (and the algorithm used).
    If the website doesn't do that, there is no way for you to check whether you have the right file. Well, of course you could (AFTER downloading the file) calculate a checksum for it and then ask other people whether they have the same ;)

    No, I don't have that one, sorry...
    I have for example: CryptoSuite from DCS, Hasher from Karen, DigestIt2003, and a few more ;)

    Cheers, Jan.
  5. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    i just downloaded one of the right-clicking Checksum Verifiers(thanks for the advice FanJ)
    the checksum was given next to the download. so, it looks like not all downloads give the checksum before the download?

    i was able to check the checksum useing hashcal and they matched-up :D . although the checksum next to the download had all the letters in capitals, whereas, hashcal gave them in small letters; thats ok isn't it?

    id been meaning to ask about this for a while. im very happy to be finally understanding this subject. thanks :)
    EDIT i just saw your post. thank you for your time :cool:
  6. FanJ

    FanJ Guest


    About capitals : no problem ! :)

    I take for example my Ad-Aware SE Pro file Ad-Aware.exe
    I calculate the MD5 HASH with both DigestIt2003 and CryptoSuite:


  7. FanJ

    FanJ Guest

    A side-note about websites mentioning the checksum of a file:

    More than once I have noticed that a website does not give the right checksum (maybe due to the fact that the file was updated but they forgot to also update its checksum ;)).
  8. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    FanJ, i have a copy of fingerprint that i downloaded, but havent installed, from a while ago. would you suggest useing that to make a databse?
  9. xmp

    xmp Guest

    if the checksums output in hex, that would explain the use of capital or lowercase letters. a=10, b=11, c=12, d=13, e=14, f=15

    md5 is probably the most common checksum for files. a lot of open-source software will provide an md5sum. it's best to get that md5sum from an official source. if you just need file integrity on downloads, a mirror site will be fine.
  10. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    thank you, xmp
  11. Wondering

    Wondering Guest

    As useful as this thread is, I see that one rather major area is not addressed.

    Assuming you intend to run one of those on demand MD5 hash checkers say once a week, what are the critical files you should check?

    Obviously antiviruses, firewalls, browsers?? etc are one of those you should check? Should you check everything in the antivirus directory? Or just the main exe?

    When it comes to critical windows files it's get even more murky, Do you just check everything in the windows directory?

    The problem is , if you check stuff that changes too often, you will never know if it's due to "normal" changes, or if something fishy is going on.
  12. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    You are exactly right about how talkative a file checker would get if you have it checking too much. Different people have different ideas as to what to check.

    Some want to only check program files (.exe, .dll, etc.) for all major Windows components and security applications (like Anti-Virus, Firewall, etc.) These are clearly key files where some malware or hack might replace a good file with a malicious one. And for the most part, major program components don't change frequently enough to cause too many alerts.

    Others actually do include the files holding AV definitions, and other much more variable files, because they want to know if those files change at times when they themselves did not approve an update. (The idea being that if a malicious program altered your AV definitions, your AV would be almost useless even though it might still technically look like it is running and working.)

    It really depends upon how to manage your system and how much control (or at least information) you want.

    There's a lot more information on file checking, especially by FanJ. This first one is actually for a product called NISFileCheck...

    The rest of that forum section is here (we retired and closed that section a while ago):

    This next one is a TDS-3 thread which talks about its basic CRC checking, but the concepts remain the same regardless of the product and checksum used:

    Scanning through FanJ's various threads where he talks about file checking and checksums, you'll find a lot of good information. This thread is another good one:
  13. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    thanks for the links LowWaterMark :)
Thread Status:
Not open for further replies.