Anyone using PeStudio by Winitor?

Discussion in 'other anti-malware software' started by Tyrizian, May 27, 2013.

  1. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: update of VT is now working in PeStudio 7.73 when pointing the VT item in the tree or using the context menu + XML-based blacklisting of libraries.
     
  2. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    thanks - works good. :)

    are you considering making it a commercial program?
     
  3. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    @Snoop3: I want to extent the "uniqueness" of PeStudio by enhancing the detection of anomalies, etc (several ideas). Any company interested to buy my parser? I am still open to discuss about that...:)
     
  4. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    i'm just interested in buying a license if you decide to go that route.
     
  5. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.74 is now available:
    Added detection of GINA
    Added detection of invalid EAT
     
  6. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.77 is available with:
    . Added Detection and Indicator for MIME64 Encoding string
    . Added Detection and Indicator for hard-coded IP Adresses
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    Been patient with a long lull between releases so right on this newest one.

    Many Thanks

    Great Analysis Tool!

    Regards EASTER
     
  8. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    PeStudio 7.82 is available with:

    . Added PeStudioBlackLanguages.XML to support detection of Resources Blacklisted Languages
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    Minor update but update nonetheless.

    Many Thanks.

    EASTER
     
  10. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Minor update with a potential, namely, to give the user the possibility to define blacklisted (aka. suspicious) Resources languages...
     
    Last edited: Nov 23, 2013
  11. peereli

    peereli Registered Member

    Joined:
    Feb 1, 2014
    Posts:
    2
    I`ve just tried the program and found out it is calling home every time it checks a file, why is it so?
     
  12. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Per default, in addition to the static analysis, PeStudio lookup www.virustotal.com to retrieve score for the file, when available. Btw, Process Explorer (Mark Russsinovich) now also implements this feature in its newest version, has made available this week. Only the MD5 of the file is sent to virustotal, not the complete file.

    This feature can be completely switched off by editing PeStudioVirusTotal.XML, which is delivered with PeStudio.

    <xml version="1.0" encoding="utf-8">
    <Settings>
    <Setting>
    <!-- 1: Enable Lookup to VirusTotal (show VirustTotal at UI and place section in XML file).
    0: Disable Lookup to VirusTotal (hide VirustTotal from UI and remove section from XML file).-->
    <Enable>1</Enable>
    <!-- 1: Show VirusTotal Details
    0: Hide VirusTotal Details -->
    <Details>1</Details>
    </Setting>
    </Settings>
    </xml>

    Does that address your concern about PeStudio calling home?
     
    Last edited: Feb 1, 2014
  13. peereli

    peereli Registered Member

    Joined:
    Feb 1, 2014
    Posts:
    2
    Yes, Thank you.
     
  14. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Great, you're welcome!
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @Marc Ochsenmeier: Perhaps there is something of value in Adobe Malware Classifier that could be useful.

    P.S. Thank you for the program :).
     
    Last edited: Feb 2, 2014
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For those who don't know: Sigcheck now has an option to scan with VirusTotal. It can scan folders too.
     
    Last edited: Feb 2, 2014
  17. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    for files that the hashes are not found in the VT database is it possible to have PeStudio automatically call another user-selected program like JottiQ or one of the VT uploaders to then upload that file?

    would be a good help here.
     
  18. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    . VT uploader is on the todo list
    . calling (notifying) a user-selected program is a good idea, thanks.
     
  19. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
    Thank you very much for the suggestion!
     
  20. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    Thanks. It will be your own VT uploader?


    this is useful, too bad its command-line program. is there a program that can store the hashes then only pings VT with the hashes that have changed, and work slowly in the background using up very little CPU? would be great for scanning folders and secondary drives or partitions every few days or once a week.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Sigcheck already works slowly with VirusTotal - it checks at most 4 files a minute. Be aware that there's a bug with -u switch. See this thread for other programs.
     
  22. FOXP2

    FOXP2 Guest

    "Anyone using PeStudio by Winitor?"
    So... Any answer to that yet?? :D
     
  23. Marc Ochsenmeier

    Marc Ochsenmeier Developer

    Joined:
    Jun 6, 2013
    Posts:
    150
    Location:
    Germany
  24. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA