Online VirusTotal hash checker

Discussion in 'other anti-malware software' started by Melf, Jun 23, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    I've tried VirusTotal's uploader app recently. It seems to work as follows:

    1) Calculate hash and compare to database. Do not even calculate hash if the file is >20 MB (weird).
    2) If this hash exists in the database, get previously measured vendor results for that file
    3) If no match, upload the file (<20 MB).

    This behaviour kind of bothers me because
    1) I don't know why it refuses even to hash files >20 MB. I've tried MultiHasher and even though it uses VirusTotal too, it will calculate the hash on any file. But MultiHasher's VirusTotal query function is buried several clicks away.
    2) It defaults to uploading the file if there's no match, and I can't disable this behaviour. I don't want it to check vs behaviour blockers etc, I just want to know if the file's been seen before.

    So I'm wondering if anyone knows a super convenient (minimal clicks) way to compute a file's hash and query VirusTotal, regardless of file size, without bothering to upload it.
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,

    Maybe VT Hash Check http://www.boredomsoft.org/vt-hash-check.bs
    Various ressources that could help as there is no solution for each one of us

    UVK tools from the Ultra Virus Killer team http://www.carifred.com/uvk/help/uvk_tools.htm
    VT extension https://www.virustotal.com/documentation/browser-extensions/
    FileAdvisor from Bit9 http://fileadvisor.bit9.com/services/help.aspx
    Didier Stevens VT search tool http://blog.didierstevens.com/2012/05/21/searching-with-virustotal/
    Team Cynru tools and service https://addons.mozilla.org/en-US/firefox/addon/team-cymrus-mhr/

    Online services
    http://www.malwarehash.com/ explained here http://www.digitaloffensive.com/201...e-and-other-malicious-files-using-md5-hashes/
    https://hash.cymru.com/
    https://www.vicheck.ca/md5query.php
    https://isc.sans.edu/tools/hashsearch.html
    ETC
    As Virus Total API is public, there is some scripts available like D.stevens one, and anyone can build his own tool.
    In an other way, there is online Malware database with or without registration that could help, but their links are out of this boad T.O.S :)

    rgds
     
  3. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Wow! Your powers of Google-fu far exceed my own...

    I tried VT Hash Check, quite nice. Minimum number of clicks, doesn't need to open the browser for condensed report.

    If I try and upload a larger file it tells me that the file won't be in the VT database because it's too large. So I guess the file size thing must be a limitation with VT itself. Seems strange, I assumed that they just ask each vendor if the hash has been encountered. Seems like no reason to limit the file size :S

    Now that you've solved my initial problem - are there alternatives to VT that use hashing but don't have file size limits?
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    VT limits are 20meg - for reason - so why complaining they dont accept hashes from files which exceed this limit cause they never have tested those?

    you should be conscious that VT is an online service so anyone has to upload and they to check it out. maybe in future they offer more but for now is done.

    you can try jotti but their limit is 25mb not much more.
    http://virusscan.jotti.org/de

    in any other case you have the option to use any on-demand scanner you like to - included boot media.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    VT had a limit of 20MB in the past, with their site make-over they raised the limit to 32MB if I'm correct.
     
  6. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    A hash is the same size regardless of the size of the original file. Anti-virus software scans files of all sizes and store the results in their databases together with the hash. So a service that queries the databases of anti-virus vendors should have no limit to file size.

    I don't want to rely on a single database, I want to use them all!
     
  7. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    is using VT
    waste of time - all have some limits - and VT and jotti have already the most engines of all.
    just believe - what you want is not present actually - you have to do it on your own.
     
  9. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    Euh...there is no thanks to Google here...i play with malwares since 2004 and i need to be up to date about the latest threats (malwares/attacks) and defense.
    Metascan can upload much more than VT and Jotti http://www.metascan-online.com/
    And for a few dollars more :), anyone can build his own VirusTotal on his LAN
    http://www.opswat.com/buy/multi-scanning
    The recent Flame collision attack has shown that MD5 is vulnerable.
    And even if it is not a dead end, malware pattern matching needs perhaps to be seen under another angle (as for forensic databases (like NSRL http://www.nsrl.nist.gov/index.html ).

    Brumelchen last remark is true, and by experience, anyone needs to know that when dealing with malwares, trust first in your skill, more than in your tools...

    Rgds
     
  10. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  11. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    I saw this also on Majorgeeks yesterday, and downloaded (from author's site) to take a look.
    Scanning file with Emsisoft AM gave detection: https://www.emsisoft.com/en/malware/?Trojan.Win32.SecurityXploded.AMN!E1
    On Jotti 2 detections (ESET & Emsisoft again): http://virusscan.jotti.org/en/scanresult/4cadbed28a73b285d01d8986ac000819fa553e1b
    On OPSWAT Metascan 2 detections (AVG & Emsi but not ESET): http://www.metascan-online.com/results/gh8thu5rl70cnptt4oi2qu5ioh73hl20
    Couldn't upload to VT at the time, but my question is what behaviour or characteristics of the file should ellicit this response from some AV engines, but not others? Is it a matter of personal preference what warnings to heed in this case, and does it just come down to whether you trust the developer or not?
     
  12. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Thanks for the further links. Seems this problem is not solvable at the moment unless I want to pay several thousand dollars a year to set up my own :D

    So, I had though that VT simply compares the hashes it is given to the hashes of virus definitions from each of the major AV companies.

    But from what I am reading here I fear that VT only "knows" about malware that has been uploaded to their servers, which they then test against each AV and report the pass/fail (storing the result for later queries). Is this true??

    To be more clear, consider an example:
    An AV vendor, let's say Kaspersky, has a definition for some malware sample sitting in its database. But the malware has not previously been uploaded to VirusTotal. I download this sample, compute the hash, and upload the hash to VirusTotal.
    Will VirusTotal report a hit from Kaspersky?
    I am assuming that the answer is no, but that the answer would be yes if I had uploaded the file.

    If this is the case, the hash solution is pretty useless, because not that many people use VirusTotal.
     
  13. Boredomsoft

    Boredomsoft Registered Member

    Joined:
    Jul 21, 2012
    Posts:
    13
    Location:
    San Francisco
    Glad you like it :) I'm always looking for suggestions, btw.
    Right. Previously, Virus Total had a limit of 20MB. The current limit is 32MB. The limits are for entirely practical reasons: in order for Virus Total (or similar services) to have a record of a file they actually have to have a copy of it. The only way for them to get a copy is for users to upload one. Upload bandwidth and server disk space isn't free ($$) and most true malware (with exceptions) will weigh in at considerably less than 20-32MB, so this limitation isn't as limiting as it might seem. Most tools that interface with VT won't even bother to hash larger files, as you have found.
    What they do is actually run the scanner against the uploaded file. The scan report is then filed under the hash so that anyone else with the same file can find the report even if the files have different names. If a file gets uploaded and there's disagreement among the scanners then the scanner developers can grab the file and figure who's right and who's wrong, thereby improving all the supported scanners.
    Not really, no. If all you're interested is the hash then there are a number of tools, however. I recommend HashTab.


    Hi ranget! :eek:
     
  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Before Matousec started to test firewalls on their HIPS capabilities, you were testing HIPS on their HIPS capabilities ;)
    I allways found your (security overflow) blogs/test very informative. :thumb: Merci Beaucoup
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.