VirusTotal + HerdProtect - Check Files with Simultaneously

Check Files with VirusTotal + HerdProtect Simultaneously​

The main purpose with this solution is to check downloaded software before running or installing it!

Feb 18, 2015: New version of the script code and .bat file. Fixed a bug that caused the script to fail and stop further executing if Herdprotect detected a file as type "Malware". The Herdprotect info would in those cases be missing from the command window, but the Virustotal info for that file would still be displayed.

   Information

This will add a new option to the Windows explorer context menu "Send To" so you can select file(s) and use the right-click pop-up menu to check the file(s) on VirusTotal and HerdProtect in one step. The result will be displayed in a command prompt window. If any antivirus product detected something an analysis report will be opened in your browser.

VirusTotal.com is a multi-engined scanner service from Google with more than 50 different anti-virus products including:
AVG, Avast, Avira, BitDefender, ESET, F-Secure, GData, Kaspersky, Malwarebytes, Microsoft, Norman, Panda, SUPERAntiSpyware, Sophos, Symantec, TrendMicro and many more.
herdprotect.com is a similar service with some additional antivirus engines but ATM doesn't support single file scans or uploads.
The files won't be uploaded or actually scanned as only file hashes are used to find previous scanning results for every specific file and version!

Why check on both VirusTotal and HerdProtect?
HerdProtect has more AV engines than VT, plus they claim they have algorithms that can rule out false positives. So if VirusTotal detected something HerdProtect might still say it's clean and report the detections as "false positives" (wrongly flagged as detections). Therefor to check both would be a plus but there's no tool or utility to do that. Herdprotect don't support single file scans or uploads, but their knowledge base is available via HTTP through file hashes which is how this solution works.

What does the .bat file actually do?
The command line utility sigcheck from Sysinternals can check files on VirusTotal, and since I couldn't find a similar tool for HerdProtect I had to create one. So in short sigcheck is used to first check the file on VirusTotal. Then it's used again to get the SHA1 hash, then it will build the proper URL to HerdProtect's KB using the hash and file name stripped from certain characters, and then download the page source which is like visiting that specific URL but without opening a browser. Then parse the result from the herdprotect web page to find status, detections etc. And to make it similar to how sigcheck handles VT detections, if a HerdProtect detection exist it will open a browser to show the result.

   Note

This solution is dependent on HerdProtects current web layout. If that would change so the HerdProtect check doesn't work properly anymore, check back here for an updated version!

   Warning

A browser window/tab will open every time VirusTotal or HerdProtect detected something, so don't check too many files at once!

Here's How:

1. Download Sigcheck.zip from Sysinternals(Microsoft)
Download

or from its homepage: Sigcheck

2. Extract sigcheck.exe either in your path or for example in a new folder where you will save or create the .bat file in step 3

3. Download or manually create the .bat file.

option one

Download the .bat file from here: View attachment Check VirusTotal And HerdProtect.bat

option two

Copy script below and paste it in a new file. Save/rename it as type .bat

@echo off
cd /d "%~dp0"
TITLE=Check file(s) on VirusTotal and HerdProtect
IF [%1]==[] GOTO EMPTY

 >"%temp%\getTab.vbs" echo WScript.Echo(chr(9))
for /f "delims=" %%x in ('cscript "%temp%\getTab.vbs" //nologo') do set TAB=%%x

:START
REM Exclude any selected directories and only process files
IF EXIST %1\* (
  SHIFT
  IF NOT [%1]==[] GOTO START
  GOTO END
)
set SHA1=
set SHA1FILE=
SET DT=
SET NO_OF_DT=

echo.
echo.
ECHO ***** VIRUSTOTAL *****
sigcheck -q -vr -vt %1
REM echo.

echo ***** HERDPROTECT *****
for /f "delims=!!!" %%A in ('sigcheck -q -h %1 ^| findstr "SHA1: " ^| findstr /V "PESHA1"') do set SHA1=%%A
REM Delete tab, spaces etc so only the SHA1 value remains in the SHA1 variable
Setlocal EnableDelayedExpansion
set SHA1=!SHA1:%TAB%SHA1:%TAB%=!
Setlocal DisableDelayedExpansion
CALL :ToLowerCase SHA1
set SHA1FILE=%~nx1
CALL :ToLowerCase SHA1FILE
REM Replace spaces with minus signs etc (as this is how herdprotect expects it)
set SHA1FILE=%SHA1FILE: =-%
set SHA1FILE=%SHA1FILE:+=%
set SHA1FILE=%SHA1FILE:'=%
set SHA1FILE=%SHA1FILE:(=%
set SHA1FILE=%SHA1FILE:)=%
IF EXIST "%temp%\tempHerdProtect.html" DEL "%temp%\tempHerdProtect.html"
 >"%temp%\geturl.vbs" echo Set objArgs = WScript.Arguments
>>"%temp%\geturl.vbs" echo url = objArgs(0)
>>"%temp%\geturl.vbs" echo localFile = objArgs(1)
>>"%temp%\geturl.vbs" echo With CreateObject("MSXML2.XMLHTTP")
>>"%temp%\geturl.vbs" echo .open "GET", url, False
>>"%temp%\geturl.vbs" echo .send
>>"%temp%\geturl.vbs" echo a = .ResponseBody
>>"%temp%\geturl.vbs" echo End With
>>"%temp%\geturl.vbs" echo With CreateObject("ADODB.Stream")
>>"%temp%\geturl.vbs" echo .Type = 1 'adTypeBinary
>>"%temp%\geturl.vbs" echo .Mode = 3 'adModeReadWrite
>>"%temp%\geturl.vbs" echo .Open
>>"%temp%\geturl.vbs" echo .Write a
>>"%temp%\geturl.vbs" echo .SaveToFile localFile, 2 'adSaveCreateOverwrite
>>"%temp%\geturl.vbs" echo .Close
>>"%temp%\geturl.vbs" echo End With
cscript /nologo "%temp%\geturl.vbs" http://www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx "%temp%\tempHerdProtect.html" 2>nul 
for /f "tokens=6 delims=^>" %%A in ('type "%temp%\tempHerdProtect.html" ^| find "Scanner detections:"') do SET DT=%%A
REM echo www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
IF NOT "%DT%"=="" SET DT=%DT:</span=%
IF "%DT%"=="" (
  ECHO         Unknown file
  GOTO NEXT
)
ECHO         Detections:     %DT%

for /f "tokens=1 delims=/" %%A IN ("%DT%") do SET NO_OF_DT=%%A
SET NO_OF_DT=%NO_OF_DT: =%
IF "%NO_OF_DT%" == "0" GOTO NEXT

ECHO         Link:           http://www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
start /D "" www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx

:NEXT
REM echo.
SHIFT
IF NOT [%1]==[] GOTO START
GOTO END

:ToLowerCase
FOR %%i IN ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j"  "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v"  "W=w" "X=x" "Y=y" "Z=z") DO CALL SET "%1=%%%1:%%~i%%"
GOTO EOF

:EMPTY
echo Parameter is missing! Right-click on file(s) and use "Send to" menu.

:END
echo.
pause

:EOF

4. In the search field from Windows Start Orb rb: type shell:SendTo and press Enter

5. Create a shortcut to the .bat file. Name it for example Check on VirusTotal And HerdProtect

6. In explorer right click a file, go to "Send To" and click the newly added shortcut to the .bat file

   Note

Multiple file selections are supported, but any selected directories will be ignored.

If you control outbound firewall connections you must allow the windows system file cscript.exe TCP 80, 54.208.30.101 (herdprotect.com) and sigcheck.exe TCP 443, 74.125.34.46 (googlehosted.com)

If you see a message 'sigcheck' is not recognized as an internal or external command it means the .bat file couldn't find sigcheck. Just copy sigcheck.exe to the directory where the .bat file is

Example of checking 3 different files at once, with 3 different herdprotect results. Only one is opened in browser (marked in red):

   Note

If the result is Unknown, as with the second file in the screenshot above, I recommend to go to virustotal.com and upload that file to get it checked.

   Information

Note that sigcheck also provides signature information in the VirusTotal section, marked in yellow:
Verified, Signing date, Publisher

Related Tutorials

---

• Check all running processes on VirusTotal

 

[Midori]

Tiny code update to my own script on 'Post 6' to be able to process paths like 'Program Files (x86)' by using also 'EnableDelayedExpansion' in the main part.
Script will not be able to read files or paths using '!', but that is less important than every special character breaking the script.

Have a good day ^^.

 

[Tranquil Hegemo]

Has something changed or is my PC having a hissy fit of some description. Tried to check a couple of files this morning only to be greeted with the following:

***** VIRUSTOTAL *****
e:\users\butters\desktop\f5 stuff\cfgwkst.pdf:
        Verified:       Unsigned
        File date:      12:16 30/08/2016
        Publisher:      n/a
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    n/a
        VT detection:   0/53
        VT link:        https://www.virustotal.com/file/ce3cf51eef902276ab6e0e05
583a5945d0aa7ad54abb3042270a45e5c6afa2a4/analysis/
***** HERDPROTECT *****
        Unknown file

Press any key to continue . . .

Tried it with another pdf file and a couple of other random files as well with similar results.

 

[Midori]

The scripts in this thread do not send/scan files.
What these scripts do, is lookup the database of Virustotal and Herdprotect (AKA Check Files).

For Virustotal, the program 'sigcheck.exe' is used to lookup.
For Herdprotect, the SHA1 hash is used to download the HTML page. After downloading, the page is read and used.
If the HTML page does not contain a line containing the text 'Scanner detections:', the file was never identified before.

PDF's, Images, etc usually do not contain alot of metadata info. That is why you see alot of N/A on these tags, this does not affect the lookup though.

If the script were to send every file to the server, the checks might take long time and unless their server rejects already scanned files, they might be spammed from repeated continuous file uploads.
Else I could have make it 'optionally' send unknown files through my script, if i know how to. That way It can contribute to increasing the database of Herdprotect :3.


If in doubt still, I recommend try my script in post #6. Mine is more functional and you might have more luck with it.

Unrelated: Hey Tookeri, after more than a year of leaving alone, my script still works .