Check Files with VirusTotal + HerdProtect Simultaneously
The main purpose with this solution is to check downloaded software before running or installing it!
Feb 18, 2015: New version of the script code and .bat file. Fixed a bug that caused the script to fail and stop further executing if Herdprotect detected a file as type "Malware". The Herdprotect info would in those cases be missing from the command window, but the Virustotal info for that file would still be displayed.
InformationThis will add a new option to the Windows explorer context menu "Send To" so you can select file(s) and use the right-click pop-up menu to check the file(s) on VirusTotal and HerdProtect in one step. The result will be displayed in a command prompt window. If any antivirus product detected something an analysis report will be opened in your browser.
VirusTotal.com is a multi-engined scanner service from Google with more than 50 different anti-virus products including:
AVG, Avast, Avira, BitDefender, ESET, F-Secure, GData, Kaspersky, Malwarebytes, Microsoft, Norman, Panda, SUPERAntiSpyware, Sophos, Symantec, TrendMicro and many more.
herdprotect.com is a similar service with some additional antivirus engines but ATM doesn't support single file scans or uploads.
The files won't be uploaded or actually scanned as only file hashes are used to find previous scanning results for every specific file and version!
Why check on both VirusTotal and HerdProtect?
HerdProtect has more AV engines than VT, plus they claim they have algorithms that can rule out false positives. So if VirusTotal detected something HerdProtect might still say it's clean and report the detections as "false positives" (wrongly flagged as detections). Therefor to check both would be a plus but there's no tool or utility to do that. Herdprotect don't support single file scans or uploads, but their knowledge base is available via HTTP through file hashes which is how this solution works.
What does the .bat file actually do?
The command line utility sigcheck from Sysinternals can check files on VirusTotal, and since I couldn't find a similar tool for HerdProtect I had to create one. So in short sigcheck is used to first check the file on VirusTotal. Then it's used again to get the SHA1 hash, then it will build the proper URL to HerdProtect's KB using the hash and file name stripped from certain characters, and then download the page source which is like visiting that specific URL but without opening a browser. Then parse the result from the herdprotect web page to find status, detections etc. And to make it similar to how sigcheck handles VT detections, if a HerdProtect detection exist it will open a browser to show the result.NoteThis solution is dependent on HerdProtects current web layout. If that would change so the HerdProtect check doesn't work properly anymore, check back here for an updated version!WarningA browser window/tab will open every time VirusTotal or HerdProtect detected something, so don't check too many files at once!
Here's How:
1. Download Sigcheck.zip from Sysinternals(Microsoft)
Download
or from its homepage: Sigcheck
2. Extract sigcheck.exe either in your path or for example in a new folder where you will save or create the .bat file in step 3
3. Download or manually create the .bat file.4. In the search field from Windows Start Orb type shell:SendTo and press Enter
option oneDownload the .bat file from here: Check VirusTotal And HerdProtect.bat
option twoCopy script below and paste it in a new file. Save/rename it as type .bat
Script:
@echo off
cd /d "%~dp0"
TITLE=Check file(s) on VirusTotal and HerdProtect
IF [%1]==[] GOTO EMPTY
>"%temp%\getTab.vbs" echo WScript.Echo(chr(9))
for /f "delims=" %%x in ('cscript "%temp%\getTab.vbs" //nologo') do set TAB=%%x
:START
REM Exclude any selected directories and only process files
IF EXIST %1\* (
SHIFT
IF NOT [%1]==[] GOTO START
GOTO END
)
set SHA1=
set SHA1FILE=
SET DT=
SET NO_OF_DT=
echo.
echo.
ECHO ***** VIRUSTOTAL *****
sigcheck -q -vr -vt %1
REM echo.
echo ***** HERDPROTECT *****
for /f "delims=!!!" %%A in ('sigcheck -q -h %1 ^| findstr "SHA1: " ^| findstr /V "PESHA1"') do set SHA1=%%A
REM Delete tab, spaces etc so only the SHA1 value remains in the SHA1 variable
Setlocal EnableDelayedExpansion
set SHA1=!SHA1:%TAB%SHA1:%TAB%=!
Setlocal DisableDelayedExpansion
CALL :ToLowerCase SHA1
set SHA1FILE=%~nx1
CALL :ToLowerCase SHA1FILE
REM Replace spaces with minus signs etc (as this is how herdprotect expects it)
set SHA1FILE=%SHA1FILE: =-%
set SHA1FILE=%SHA1FILE:+=%
set SHA1FILE=%SHA1FILE:'=%
set SHA1FILE=%SHA1FILE:(=%
set SHA1FILE=%SHA1FILE:)=%
IF EXIST "%temp%\tempHerdProtect.html" DEL "%temp%\tempHerdProtect.html"
>"%temp%\geturl.vbs" echo Set objArgs = WScript.Arguments
>>"%temp%\geturl.vbs" echo url = objArgs(0)
>>"%temp%\geturl.vbs" echo localFile = objArgs(1)
>>"%temp%\geturl.vbs" echo With CreateObject("MSXML2.XMLHTTP")
>>"%temp%\geturl.vbs" echo .open "GET", url, False
>>"%temp%\geturl.vbs" echo .send
>>"%temp%\geturl.vbs" echo a = .ResponseBody
>>"%temp%\geturl.vbs" echo End With
>>"%temp%\geturl.vbs" echo With CreateObject("ADODB.Stream")
>>"%temp%\geturl.vbs" echo .Type = 1 'adTypeBinary
>>"%temp%\geturl.vbs" echo .Mode = 3 'adModeReadWrite
>>"%temp%\geturl.vbs" echo .Open
>>"%temp%\geturl.vbs" echo .Write a
>>"%temp%\geturl.vbs" echo .SaveToFile localFile, 2 'adSaveCreateOverwrite
>>"%temp%\geturl.vbs" echo .Close
>>"%temp%\geturl.vbs" echo End With
cscript /nologo "%temp%\geturl.vbs" http://www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx "%temp%\tempHerdProtect.html" 2>nul
for /f "tokens=6 delims=^>" %%A in ('type "%temp%\tempHerdProtect.html" ^| find "Scanner detections:"') do SET DT=%%A
REM echo www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
IF NOT "%DT%"=="" SET DT=%DT:</span=%
IF "%DT%"=="" (
ECHO Unknown file
GOTO NEXT
)
ECHO Detections: %DT%
for /f "tokens=1 delims=/" %%A IN ("%DT%") do SET NO_OF_DT=%%A
SET NO_OF_DT=%NO_OF_DT: =%
IF "%NO_OF_DT%" == "0" GOTO NEXT
ECHO Link: http://www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
start /D "" www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
:NEXT
REM echo.
SHIFT
IF NOT [%1]==[] GOTO START
GOTO END
:ToLowerCase
FOR %%i IN ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j" "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v" "W=w" "X=x" "Y=y" "Z=z") DO CALL SET "%1=%%%1:%%~i%%"
GOTO EOF
:EMPTY
echo Parameter is missing! Right-click on file(s) and use "Send to" menu.
:END
echo.
pause
:EOF
5. Create a shortcut to the .bat file. Name it for example Check on VirusTotal And HerdProtect
6. In explorer right click a file, go to "Send To" and click the newly added shortcut to the .bat file
NoteMultiple file selections are supported, but any selected directories will be ignored.
If you control outbound firewall connections you must allow the windows system file cscript.exe TCP 80, 54.208.30.101 (herdprotect.com) and sigcheck.exe TCP 443, 74.125.34.46 (googlehosted.com)
If you see a message 'sigcheck' is not recognized as an internal or external command it means the .bat file couldn't find sigcheck. Just copy sigcheck.exe to the directory where the .bat file isExample of checking 3 different files at once, with 3 different herdprotect results. Only one is opened in browser (marked in red):
NoteIf the result is Unknown, as with the second file in the screenshot above, I recommend to go to virustotal.com and upload that file to get it checked.
InformationNote that sigcheck also provides signature information in the VirusTotal section, marked in yellow:
Verified, Signing date, Publisher