Use Microsoft's Sigcheck 2.0 to check all files in a folder on Virustotal - gHacks Tech News

Use Microsoft's Sigcheck 2.0 to check all files in a folder on Virustotal

Microsoft has released Sigcheck 2.0 a couple of days ago. The excellent program enables you to verify information about files -- including digital certificates, version numbers and timestamp information - by pointing it to a folder that you want checked.

While that makes it an excellent tool for experienced Windows users and admins, its reliance on the command prompt is probably the main reason why it is not used by more users of the system.

Integration of the popular Virustotal API in Sigcheck could change that dramatically on the other hand. While you still need to run the program from the Windows command prompt, you can now send all files of a folder to Virustotal to return a list of files that at least one of the antivirus engines detected as malicious.

Using Sigcheck and Virustotal

sigcheck virustotal

Sigcheck 2.0 ships with three parameters that control Virustotal usage, they are:

  • -u Shows files that are unknown by Virustotal or have non-zero detection.
  • -v [rn] Queries the Virustotal service by using file hashes. The "r" option adds reports for files with non-zero detection, the "n" option prevents the uploading of files that are unknown to Virustotal.
  • -vt This accepts the terms of service of Virustotal.

Here are a couple of examples of how you can use the new Virustotal integration of Sigcheck:

sigcheck -vrn -vt c:\windows\system32\

This  scans the c:\windows\system32\ folder and checks the hash of the files against Virustotal's database. Unknown files are not uploaded to Virustotal.

sigcheck -u -vt c:\windows\system32\

This command limits the output to files that are unknown to Virustotal, and files that at least one engine reports as malware.

Tip: If you scan a folder with lots of files, or use the -s parameter to include subdirectories in the scan, you may want to redirect the report to a text file by appenending > c:\users\username\downloads\output.txt to the command.

sigcheck -u -v -vt -s c:\temp\ > c:\users\martin\downloads\output.txt

The command will  check file hashes on Virustotal and upload any file where no hash is found. It will then add all files with at least one malware hit or that are unknown by Virustotal to the output.txt file. The -s command will include files in subdirectories in the scan.

You can check out all available parameters by following the link to the Microsoft Sysinternals website. There you can also download the application to your system.

As far as system requirements go, it requires at least Windows XP on the client side and Windows Server 2003 on the server side.

Closing Words

The integration of Virustotal scan options improves the scenarios where you can make use of the software. While it is still great for its original functionality, it can now also be used to scan files found in a folder quickly using the remote virus scanning service.

Now Read: Keep your Sysinternal programs up to date





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. imu said on October 28, 2013 at 2:59 pm
      Reply

      Great tool but…they really need to re-think the way files are checked, maybe by excluding those “looking for attention” antivirus engines and relay only on mainstream ones cos when I firs ran it I got like million false positives :(
      So for now I’d say it’s better to run Sigcheck without Virustotal and use this feature only if the first scan finds something worth attention.
      Martin,did you notice this too?

      1. Martin Brinkmann said on October 28, 2013 at 3:09 pm
        Reply

        Nowadays, I almost expect to see one or two false positives when I scan a file on Virustotal.

        1. imu said on October 28, 2013 at 3:25 pm
          Reply

          Sure but when you run it without opening the output in the browser then you see just the numbers so you can’t tell if they are false or not and so for me this is a huge downside of this new feature.

    2. imu said on October 28, 2013 at 3:37 pm
      Reply

      BTW. would you run this tool on your computer ?
      hxxp://www.truesec.com/Tools/Tool/gsecdump_v2.0b5
      Scan it with VT first of course :)

      1. Martin Brinkmann said on October 28, 2013 at 3:43 pm
        Reply

        I think I would not, even if it is likely a false positive.

      2. Rick said on October 28, 2013 at 7:22 pm
        Reply

        It’s likely a false-positive given what the app is doing. Anytime an app is going into the registry or security catalogs, you will get a number of hits from the AVs.

        If you are just looking to see LSA information, you can use the nirsoft tool http://www.nirsoft.net/utils/lsa_secrets_view.html. And why one needs only the hash info on logon security info has always confused me.

    3. hessam said on October 28, 2013 at 4:51 pm
      Reply
    4. dragonduder said on November 1, 2013 at 6:16 pm
      Reply

      Very cool, this is why I love this blog. Anyone have any good batch file ideas that this could apply to? Like maybe scan my downloads folder every now and then? I’d like to find a way to use this in conjunction with the process talked about in this makeuseof article http://www.makeuseof.com/tag/how-to-issue-a-command-to-your-computer-with-a-text-message/

    5. Shala Tucker said on July 21, 2016 at 7:25 pm
      Reply

      This is not a reply but a question. Almost every time I am on my computer it stops responding for approx. 45 seconds and the search circle sits and spins. The cursor will not move during this 45 seconds. Then the screen goes blank and shortly thereafter the screen goes back to the original page. Can you give any insight into what might be causing this?

      Thanks, Shala Tucker

      P.S. I have windows pro in a refurbished Optiplex 780. Dell.

    6. AJ North said on November 14, 2016 at 11:37 am
      Reply

      Sigcheck version 2.54 was released on 2016.08.29.

      There is also a free third-party GUI (Graphical User Interface) for Sigcheck, SigcheckGUI – http://skwire.dcmembers.com/fp/?page=sigcheckgui .

    Leave a Reply