Anyone using PeStudio by Winitor?

@Snoop3: update of VT is now working in PeStudio 7.73 when pointing the VT item in the tree or using the context menu + XML-based blacklisting of libraries.

 

thanks - works good.

are you considering making it a commercial program?

 

@Snoop3: I want to extent the "uniqueness" of PeStudio by enhancing the detection of anomalies, etc (several ideas). Any company interested to buy my parser? I am still open to discuss about that...

 

i'm just interested in buying a license if you decide to go that route.

 

PeStudio 7.74 is now available:
Added detection of GINA
Added detection of invalid EAT

 

PeStudio 7.77 is available with:
. Added Detection and Indicator for MIME64 Encoding string
. Added Detection and Indicator for hard-coded IP Adresses

 

Been patient with a long lull between releases so right on this newest one.

Many Thanks

Great Analysis Tool!

Regards EASTER

 

PeStudio 7.82 is available with:

. Added PeStudioBlackLanguages.XML to support detection of Resources Blacklisted Languages

 

Minor update but update nonetheless.

Many Thanks.

EASTER

 

Minor update with a potential, namely, to give the user the possibility to define blacklisted (aka. suspicious) Resources languages...

 

I`ve just tried the program and found out it is calling home every time it checks a file, why is it so?

 

Per default, in addition to the static analysis, PeStudio lookup www.virustotal.com to retrieve score for the file, when available. Btw, Process Explorer (Mark Russsinovich) now also implements this feature in its newest version, has made available this week. Only the MD5 of the file is sent to virustotal, not the complete file.

This feature can be completely switched off by editing PeStudioVirusTotal.XML, which is delivered with PeStudio.

<xml version="1.0" encoding="utf-8">
<Settings>
<Setting>
<!-- 1: Enable Lookup to VirusTotal (show VirustTotal at UI and place section in XML file).
0: Disable Lookup to VirusTotal (hide VirustTotal from UI and remove section from XML file).-->
<Enable>1</Enable>
<!-- 1: Show VirusTotal Details
0: Hide VirusTotal Details -->
<Details>1</Details>
</Setting>
</Settings>
</xml>

Does that address your concern about PeStudio calling home?

 

Yes, Thank you.

 

Great, you're welcome!

 

@Marc Ochsenmeier: Perhaps there is something of value in Adobe Malware Classifier that could be useful.

P.S. Thank you for the program .

 

For those who don't know: Sigcheck now has an option to scan with VirusTotal. It can scan folders too.

 

for files that the hashes are not found in the VT database is it possible to have PeStudio automatically call another user-selected program like JottiQ or one of the VT uploaders to then upload that file?

would be a good help here.

 

. VT uploader is on the todo list
. calling (notifying) a user-selected program is a good idea, thanks.

 

Thank you very much for the suggestion!

 

Thanks. It will be your own VT uploader?

this is useful, too bad its command-line program. is there a program that can store the hashes then only pings VT with the hashes that have changed, and work slowly in the background using up very little CPU? would be great for scanning folders and secondary drives or partitions every few days or once a week.

 

Sigcheck already works slowly with VirusTotal - it checks at most 4 files a minute. Be aware that there's a bug with -u switch. See this thread for other programs.

 

"Anyone using PeStudio by Winitor?"
So... Any answer to that yet??

 

Considering the amount of threads here and that PeStudio has been Ranked #4 "Best 2013 Security Tools" http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/, I would say "Yes".

 

May be OT but thought I'd mention that sigcheck has now been updated to fix this bug:
http://www.dslreports.com/forum/r29015714-App-Update-Sysinternals-Sigcheck-2.02

 

That one was fixed fast (I reported the bug) .