Use Microsoft's Sigcheck 2.0 to check all files in a folder on Virustotal
Microsoft has released Sigcheck 2.0 a couple of days ago. The excellent program enables you to verify information about files -- including digital certificates, version numbers and timestamp information - by pointing it to a folder that you want checked.
While that makes it an excellent tool for experienced Windows users and admins, its reliance on the command prompt is probably the main reason why it is not used by more users of the system.
Integration of the popular Virustotal API in Sigcheck could change that dramatically on the other hand. While you still need to run the program from the Windows command prompt, you can now send all files of a folder to Virustotal to return a list of files that at least one of the antivirus engines detected as malicious.
Using Sigcheck and Virustotal
Sigcheck 2.0 ships with three parameters that control Virustotal usage, they are:
- -u Shows files that are unknown by Virustotal or have non-zero detection.
- -v [rn] Queries the Virustotal service by using file hashes. The "r" option adds reports for files with non-zero detection, the "n" option prevents the uploading of files that are unknown to Virustotal.
- -vt This accepts the terms of service of Virustotal.
Here are a couple of examples of how you can use the new Virustotal integration of Sigcheck:
sigcheck -vrn -vt c:\windows\system32\
This scans the c:\windows\system32\ folder and checks the hash of the files against Virustotal's database. Unknown files are not uploaded to Virustotal.
sigcheck -u -vt c:\windows\system32\
This command limits the output to files that are unknown to Virustotal, and files that at least one engine reports as malware.
Tip: If you scan a folder with lots of files, or use the -s parameter to include subdirectories in the scan, you may want to redirect the report to a text file by appenending > c:\users\username\downloads\output.txt to the command.
sigcheck -u -v -vt -s c:\temp\ > c:\users\martin\downloads\output.txt
The command will check file hashes on Virustotal and upload any file where no hash is found. It will then add all files with at least one malware hit or that are unknown by Virustotal to the output.txt file. The -s command will include files in subdirectories in the scan.
You can check out all available parameters by following the link to the Microsoft Sysinternals website. There you can also download the application to your system.
As far as system requirements go, it requires at least Windows XP on the client side and Windows Server 2003 on the server side.
Closing Words
The integration of Virustotal scan options improves the scenarios where you can make use of the software. While it is still great for its original functionality, it can now also be used to scan files found in a folder quickly using the remote virus scanning service.
Now Read: Keep your Sysinternal programs up to date
Advertisement
Sigcheck version 2.54 was released on 2016.08.29.
There is also a free third-party GUI (Graphical User Interface) for Sigcheck, SigcheckGUI – http://skwire.dcmembers.com/fp/?page=sigcheckgui .
By the way noted v2.20 is the last one supported for Win XP. For V2.54 Vista or higher needed.
This is not a reply but a question. Almost every time I am on my computer it stops responding for approx. 45 seconds and the search circle sits and spins. The cursor will not move during this 45 seconds. Then the screen goes blank and shortly thereafter the screen goes back to the original page. Can you give any insight into what might be causing this?
Thanks, Shala Tucker
P.S. I have windows pro in a refurbished Optiplex 780. Dell.
Very cool, this is why I love this blog. Anyone have any good batch file ideas that this could apply to? Like maybe scan my downloads folder every now and then? I’d like to find a way to use this in conjunction with the process talked about in this makeuseof article http://www.makeuseof.com/tag/how-to-issue-a-command-to-your-computer-with-a-text-message/
check this program-great tool
http://www.softpedia.com/get/Antivirus/MCShield.shtml
BTW. would you run this tool on your computer ?
hxxp://www.truesec.com/Tools/Tool/gsecdump_v2.0b5
Scan it with VT first of course :)
It’s likely a false-positive given what the app is doing. Anytime an app is going into the registry or security catalogs, you will get a number of hits from the AVs.
If you are just looking to see LSA information, you can use the nirsoft tool http://www.nirsoft.net/utils/lsa_secrets_view.html. And why one needs only the hash info on logon security info has always confused me.
I think I would not, even if it is likely a false positive.
Great tool but…they really need to re-think the way files are checked, maybe by excluding those “looking for attention” antivirus engines and relay only on mainstream ones cos when I firs ran it I got like million false positives :(
So for now I’d say it’s better to run Sigcheck without Virustotal and use this feature only if the first scan finds something worth attention.
Martin,did you notice this too?
Nowadays, I almost expect to see one or two false positives when I scan a file on Virustotal.
Sure but when you run it without opening the output in the browser then you see just the numbers so you can’t tell if they are false or not and so for me this is a huge downside of this new feature.