VirusTotal + HerdProtect - Check Files with Simultaneously

Page 1 of 3 123 LastLast
    VirusTotal + HerdProtect - Check Files with Simultaneously

    VirusTotal + HerdProtect - Check Files with Simultaneously

    Check Files with VirusTotal + HerdProtect Simultaneously
    Published by
    Designer Media Ltd


    Check Files with VirusTotal + HerdProtect Simultaneously

    The main purpose with this solution is to check downloaded software before running or installing it!

    Feb 18, 2015: New version of the script code and .bat file. Fixed a bug that caused the script to fail and stop further executing if Herdprotect detected a file as type "Malware". The Herdprotect info would in those cases be missing from the command window, but the Virustotal info for that file would still be displayed.

       Information
    This will add a new option to the Windows explorer context menu "Send To" so you can select file(s) and use the right-click pop-up menu to check the file(s) on VirusTotal and HerdProtect in one step. The result will be displayed in a command prompt window. If any antivirus product detected something an analysis report will be opened in your browser.

    VirusTotal.com is a multi-engined scanner service from Google with more than 50 different anti-virus products including:
    AVG, Avast, Avira, BitDefender, ESET, F-Secure, GData, Kaspersky, Malwarebytes, Microsoft, Norman, Panda, SUPERAntiSpyware, Sophos, Symantec, TrendMicro and many more.
    herdprotect.com is a similar service with some additional antivirus engines but ATM doesn't support single file scans or uploads.
    The files won't be uploaded or actually scanned as only file hashes are used to find previous scanning results for every specific file and version!

    Why check on both VirusTotal and HerdProtect?
    HerdProtect has more AV engines than VT, plus they claim they have algorithms that can rule out false positives. So if VirusTotal detected something HerdProtect might still say it's clean and report the detections as "false positives" (wrongly flagged as detections). Therefor to check both would be a plus but there's no tool or utility to do that. Herdprotect don't support single file scans or uploads, but their knowledge base is available via HTTP through file hashes which is how this solution works.

    What does the .bat file actually do?
    The command line utility sigcheck from Sysinternals can check files on VirusTotal, and since I couldn't find a similar tool for HerdProtect I had to create one. So in short sigcheck is used to first check the file on VirusTotal. Then it's used again to get the SHA1 hash, then it will build the proper URL to HerdProtect's KB using the hash and file name stripped from certain characters, and then download the page source which is like visiting that specific URL but without opening a browser. Then parse the result from the herdprotect web page to find status, detections etc. And to make it similar to how sigcheck handles VT detections, if a HerdProtect detection exist it will open a browser to show the result.
       Note
    This solution is dependent on HerdProtects current web layout. If that would change so the HerdProtect check doesn't work properly anymore, check back here for an updated version!
       Warning
    A browser window/tab will open every time VirusTotal or HerdProtect detected something, so don't check too many files at once!



    Here's How:

    1. Download Sigcheck.zip from Sysinternals(Microsoft)
    Download

    or from its homepage: Sigcheck


    2. Extract sigcheck.exe either in your path or for example in a new folder where you will save or create the .bat file in step 3

    3. Download or manually create the .bat file.



    option one

    Download the .bat file from here: Check VirusTotal And HerdProtect.bat






    option two

    Copy script below and paste it in a new file. Save/rename it as type .bat



    Script:
    @echo off
    cd 
    /"%~dp0"
    TITLE=Check file(son VirusTotal and HerdProtect
    IF [%1]==[] GOTO EMPTY

     >
    "%temp%\getTab.vbs" echo WScript.Echo(chr(9))
    for /
    "delims=" %%x in ('cscript "%temp%\getTab.vbs" //nologo') do set TAB=%%x

    :START
    REM Exclude any selected directories 
    and only process files
    IF EXIST %1\* (
      
    SHIFT
      
    IF NOT [%1]==[] GOTO START
      
    GOTO END
    )
    set SHA1=
    set SHA1FILE=
    SET DT=
    SET NO_OF_DT=

    echo.
    echo.
    ECHO ***** 
    VIRUSTOTAL *****
    sigcheck --vr -vt %1
    REM 
    echo.

    echo ***** 
    HERDPROTECT *****
    for /
    "delims=!!!" %%A in ('sigcheck -q -h %1 ^| findstr "SHA1: " ^| findstr /V "PESHA1"') do set SHA1=%%A
    REM Delete tab
    spaces etc so only the SHA1 value remains in the SHA1 variable
    Setlocal EnableDelayedExpansion
    set SHA1
    =!SHA1:%TAB%SHA1:%TAB%=!
    Setlocal DisableDelayedExpansion
    CALL 
    :ToLowerCase SHA1
    set SHA1FILE
    =%~nx1
    CALL 
    :ToLowerCase SHA1FILE
    REM Replace spaces with minus signs etc 
    (as this is how herdprotect expects it)
    set SHA1FILE=%SHA1FILE: =-%
    set SHA1FILE=%SHA1FILE:+=%
    set SHA1FILE=%SHA1FILE:'=%
    set SHA1FILE=%SHA1FILE:(=%
    set SHA1FILE=%SHA1FILE:)=%
    IF EXIST "%temp%\tempHerdProtect.html" DEL "%temp%\tempHerdProtect.html"
     >"%temp%\geturl.vbs" echo Set objArgs = WScript.Arguments
    >>"%temp%\geturl.vbs" echo url = objArgs(0)
    >>"%temp%\geturl.vbs" echo localFile = objArgs(1)
    >>"%temp%\geturl.vbs" echo With CreateObject("MSXML2.XMLHTTP")
    >>"%temp%\geturl.vbs" echo .open "GET", url, False
    >>"%temp%\geturl.vbs" echo .send
    >>"%temp%\geturl.vbs" echo a = .ResponseBody
    >>"%temp%\geturl.vbs" echo End With
    >>"%temp%\geturl.vbs" echo With CreateObject("ADODB.Stream")
    >>"%temp%\geturl.vbs" echo .Type = 1 '
    adTypeBinary
    >>"%temp%\geturl.vbs" echo .Mode 'adModeReadWrite
    >>"%temp%\geturl.vbs" echo .Open
    >>"%temp%\geturl.vbs" echo .Write a
    >>"%temp%\geturl.vbs" echo .SaveToFile localFile, 2 '
    adSaveCreateOverwrite
    >>"%temp%\geturl.vbs" echo .Close
    >>"%temp%\geturl.vbs" echo End With
    cscript 
    /nologo "%temp%\geturl.vbs" http://www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx "%temp%\tempHerdProtect.html" 2>nul 
    for /"tokens=6 delims=^>" %%A in ('type "%temp%\tempHerdProtect.html" ^| find "Scanner detections:"') do SET DT=%%A
    REM 
    echo www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
    IF NOT "%DT%"=="" SET DT=%DT:</span=%
    IF 
    "%DT%"=="" (
      ECHO         
    Unknown file
      
    GOTO NEXT
    )
    ECHO         
    Detections:     %DT%

    for /
    "tokens=1 delims=/" %%A IN ("%DT%") do SET NO_OF_DT=%%A
    SET NO_OF_DT
    =%NO_OF_DT: =%
    IF 
    "%NO_OF_DT%" == "0" GOTO NEXT

    ECHO         Link:           http://www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
    start /"" www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx

    :NEXT
    REM 
    echo.
    SHIFT
    IF NOT [%1]==[] GOTO START
    GOTO END

    :ToLowerCase
    FOR %%i IN ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j"  "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v"  "W=w" "X=x" "Y=y" "Z=z") DO CALL SET "%1=%%%1:%%~i%%"
    GOTO EOF

    :EMPTY
    echo 
    Parameter is missingRight-click on file(s) and use "Send to" menu.

    :
    END
    echo.
    pause

    :EOF 
    4. In the search field from Windows Start Orb type shell:SendTo and press Enter

    5. Create a shortcut to the .bat file. Name it for example Check on VirusTotal And HerdProtect

    6. In explorer right click a file, go to "Send To" and click the newly added shortcut to the .bat file

       Note
    Multiple file selections are supported, but any selected directories will be ignored.

    If you control outbound firewall connections you must allow the windows system file cscript.exe TCP 80, 54.208.30.101 (herdprotect.com) and sigcheck.exe TCP 443, 74.125.34.46 (googlehosted.com)

    If you see a message 'sigcheck' is not recognized as an internal or external command it means the .bat file couldn't find sigcheck. Just copy sigcheck.exe to the directory where the .bat file is
    Example of checking 3 different files at once, with 3 different herdprotect results. Only one is opened in browser (marked in red):

    VirusTotal + HerdProtect - Check Files with Simultaneously-hpresult.png

       Note
    If the result is Unknown, as with the second file in the screenshot above, I recommend to go to virustotal.com and upload that file to get it checked.


       Information
    Note that sigcheck also provides signature information in the VirusTotal section, marked in yellow:
    Verified, Signing date, Publisher



  1. Posts : 70,219
    64-bit Windows 10 Pro
       #1

    Good job Tookeri. :)
      My Computer


  2. Posts : 4,566
    Windows 10 Pro
       #2

    Very nicely done.
      My Computer


  3. Posts : 76
    Windows 7 64bit
       #3

    Hope you don't mind but could I ask a couple of questions regarding this?

    Is this used in addition to an installed anti-virus product such as MSE? It reads like that is the case and that this is just an additional check that you can perform.

    Does either Herdprotect and\or VirusTotal have to be installed? I think that the answer is no as both are web addresses but I would like to be certain.

    Thanks
      My Computer


  4. Posts : 1,049
    Windows 7 Pro 32
    Thread Starter
       #4

    I use this myself primarily to check new downloaded files, but also to check any other files I'm suspicious of. Even if you have a good anti-virus, you shouldn't rely on that it'll catch everything because it's just not possible with the amount of new malware "released" every day. So this is an easy way to check the files with all major anti-virus products (and maybe some questionable ones too that more often show false positives, but that's the way it is)

    Not even checking with all these different anti-virus products can guarantee the file is 100% clean, but it's much better than only having your own anti-virus product check it. And for example most anti-virus products are bad at detecting PUPs - Potentially Unwanted Programs, not necessarily malicious but bad IMO, and some of these products can detect these.
    If I check a file and it shows as unknown, I then upload it manually on virustotal.com For HerdProtect you can't do that at the moment, not even if you have HerdProtect installed.

    It's a standalone solution that only requires sigcheck.exe besides the batch file. The other functions that are used are part of Windows. So no, it doesn't require either HerdProtect or VirusTotal to be installed
      My Computer


  5. Posts : 1
    Windows 7 x64
       #5

    Tookeri, please add to the beginning of your script a line:
    Code:
    cd /d "%~dp0"
    to fix the problem with drag&drop object on a bat-file from another folder.

    WBR, Alex.
      My Computer


  6. Posts : 57
    Primary OS: Archlinux with Kde-Plasma5 x86-64. Secondary OS: Windows 8.1 x64. UEFI Setup.
       #6

    Hello Tookeri,

    Thanks for making that script, it will come in handy in my toolkit.
    I did find some problems though:
    • Herdprotect changed layout so detection info is moved to a new div and uses now a text called 'Explanation:'.
    • The script will scan anything as long if it is not a folder and will error on those, such as things that do not exist.
    • As the post above, the script will not be able to use the tools it needs if run from another dir with cmd.
    • The variable 'AN_DATE' has problems with parentheses (try adding anything behind the variable in a echo, you'l see)
    • The code is kinda chaotic in my opinion.
    • The embedded script 'geturl.vbs' could be separate so to not have to write a file in temp everytime the script loops. (not really a problem, but the script would look cleaner )
    • Instead of setting 7 variables to nothing, you should be using a setlocal and endlocal to keep a separate environment for every loop.
    • Filenames that contain special characters like parantheses will break the script.

    While finding those mishaps, i also restyled your script in my own image, fixing the above (except the special characters breaking).

    getUrl.vbs
    Code:
    Set objArgs = WScript.Arguments
    url = objArgs(0)
    localFile = objArgs(1)
    With CreateObject("MSXML2.XMLHTTP")
    .open "GET", url, False
    .send
    a = .ResponseBody
    End With
    With CreateObject("ADODB.Stream")
    .Type = 1 'adTypeBinary
    .Mode = 3 'adModeReadWrite
    .Open
    .Write a
    .SaveToFile localFile, 2 'adSaveCreateOverwrite
    .Close
    End With
    Check VirusTotal And HerdProtect.cmd
    Code:
    @ECHO OFF
    TITLE=Check file[s] on VirusTotal and HerdProtect
    SETLOCAL ENABLEDELAYEDEXPANSION
    CD /D "%~dp0"
    
    
    IF "%~1"=="" (
    	ECHO(Parameter is missing! Please drop the file[s] on the script to scan it.
    	PAUSE
    	EXIT /B 1
    )
    
    
    :MAIN
    IF not "%~1"=="" (
    	IF exist "%~1" (
    		IF not exist "%~1\" (
    			ECHO(%~nx1
    			ECHO(様様様様様様様様様様様様様様様様様様様様様様様様様様様様様
    			CALL :VRSTL "%~1"
    			ECHO(
    			CALL :HRDPT "%~1"
    			ECHO(様様様様様様様様様様様様様様様様様様様様様様様様様様様様様
    			ECHO(
    		) else (
    			ECHO(Folders are not allowed: '%~nx1'
    			ECHO(
    		)
    	) else (
    		IF "%~nx1"=="" (
    			ECHO(File can not be found: "%~1"
    			ECHO(
    		) else (
    			ECHO(File can not be found: "%~nx1"
    			ECHO(
    		)
    	)
    ) else (
    	ENDLOCAL
    	PAUSE
    	EXIT /B 0
    )
    SHIFT
    GOTO :MAIN
    
    
    :VRSTL
    ECHO(***** VIRUSTOTAL *****
    sigcheck.exe -q -vr -vt "%~1"
    EXIT /B 0
    
    
    :HRDPT
    ECHO(***** HERDPROTECT *****
    SETLOCAL ENABLEDELAYEDEXPANSION
    REM Just so ya know, if ya copy paste this script on a forum board, the tab below will most likely change to spaces and render the script broken!
    SET "TAB=	"
    FOR /F  "delims=!!!" %%A in ('sigcheck.exe -q -h "%~1" ^| FINDSTR "SHA1: " ^| FINDSTR /V "PESHA1"') do (
    	SET "SHA1=%%A"
    )
    SET "SHA1=!SHA1:%TAB%SHA1:%TAB%=!"
    CALL :ToLowerCase SHA1
    SET "SHA1FILE=%~nx1"
    CALL :ToLowerCase SHA1FILE
    SET "SHA1FILE=!SHA1FILE: =-!"
    SET "SHA1FILE=!SHA1FILE:+=!"
    SET "SHA1FILE=!SHA1FILE:'=!"
    IF exist "!TEMP!\tempHerdProtect.html" (
    	DEL "!TEMP!\tempHerdProtect.html"
    )
    CSCRIPT /nologo "geturl.vbs" http://www.herdprotect.com/!SHA1FILE!-!SHA1!.aspx "!TEMP!\tempHerdProtect.html" 2>nul
    IF exist "!TEMP!\tempHerdProtect.html" (
    	FOR /F "tokens=6 delims=^>" %%A in ('TYPE "!TEMP!\tempHerdProtect.html" ^| FIND "Scanner detections:"') do (
    		SET "DT=%%A"
    		IF not "%%A"=="!DT:</span=!" (
    			SET "DT=!DT:</span=!"
    		)
    	)
    	IF not "!DT!"=="" (
    		FOR /F "tokens=5,6 delims=^>" %%A in ('TYPE "!TEMP!\tempHerdProtect.html" ^| FIND "Status:"') do (
    			SET "STSA=%%A"
    			SET "STSB=%%B"
    			IF not "!STSA!"=="!STSA:</div=!" (
    				SET "STS=ECHO:        Status:         !STSA:</div=!"
    			) else (
    				IF not "!STSB!"=="!STSB:</span=!" (
    					SET "STS=ECHO:        Status:         !STSB:</span=!"
    				)
    			)
    		)
    		FOR %%A in (Explanation: Note:) do (
    			FOR /F "tokens=5 delims=^>" %%B in ('TYPE "!TEMP!\tempHerdProtect.html" ^| FIND "%%A"') do (
    				SET "STS_INFOA=%%B"
    				IF not "!STS_INFOA!"=="!STS_INFOA:</div=!" (
    					SET "STS_INFO=ECHO:        %%A    !STS_INFOA:</div=!"
    				)
    			)
    		)
    		FOR /F "tokens=6 delims=^>" %%A in ('TYPE "!TEMP!\tempHerdProtect.html" ^| FIND "Analysis date:"') do (
    			SET "AN_DATEA=%%A"
    			IF not "!AN_DATEA!"=="!AN_DATEA:</span=!" (
    				SET "AN_DATE=ECHO:        Analysis date:  !AN_DATEA:</span=!"
    			)
    		)
    		ECHO(        Detection:      !DT!
    		!STS!
    		!AN_DATE!
    		!STS_INFO!
    		FOR /F "tokens=1 delims=/" %%A in ("!DT!") do (
    			SET "NO_OF_DT=%%A"
    		)
    		SET "NO_OF_DT=!NO_OF_DT: =!"
    		IF not "!NO_OF_DT!" equ "0" (
    			ECHO(
    			ECHO( Opening www.herdprotect.com/!SHA1FILE!-!SHA1!.aspx
    			start /D "" www.herdprotect.com/!SHA1FILE!-!SHA1!.aspx
    		)
    	) else (
    		ECHO(        Unknown file
    	)
    ) else (
    	ECHO(Was Not able to connect to:
    	ECHO(http://www.herdprotect.com/!SHA1FILE!-!SHA1!.aspx
    )
    DEL "!TEMP!\tempHerdProtect.html" 2>nul
    ENDLOCAL
    EXIT /B 0
    
    
    :TOLOWERCASE
    FOR %%i in ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j"  "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v"  "W=w" "X=x"  "Y=y" "Z=z") do (
    	CALL SET "%1=%%%1:%%~i%%"
    )
    EXIT /B
    The main script expects getUrl.vbs and sigcheck.exe to be in the same folder as the script, but the folder containing those files could be easily changed by editing in the main script the path 'CD /D "%~dp0"' to CD /D "%~dp0\config\" for a subfolder.
    getTab.vbs has been removed and replaced by a real tab in the variable 'TAB' so to have even less operations (to bad for forums who convert tabs to spaces though ).

    Well that's all, sorry for the lecturing, i am sorta a perfectionist and love to tinker with useful scripts and code people written.

    Hopefully it will be useful to someone.
    Last edited by Midori; 28 Feb 2015 at 02:03. Reason: Tiny code update to be able to process files and paths like 'Program Files (86)'.
      My Computer


  7. Posts : 1,049
    Windows 7 Pro 32
    Thread Starter
       #7

    Thanks for the input, Midori. I'm sure it'll be useful to someone.

    I'm not going to comment on everything right now as I think most things are minor issues like having a separate .vbs file, using setlocal/endlocal, restyling etc.

    Regarding the 'Explanation' info I've only used the 'Status' info but both sections from it and the second section is the one with a short explanation, for example (2 probable false positive detections). My script still works and HerdProtect hasn't changed anything in their layout about the 'Status' information. I think the shorter explanation is enough.

    My instructions are to select one or a few files in explorer and use the right click context menu to run the script, not by drag and drop. The instructions should be easy to follow even for non-experienced users.
    The only real problem I'm aware of are the special characters one, but it should work for most files and especially programs that are the main purpose for this script. I may be more of a perfectionist in the logic of the program and not the actual code. And again any special characters in file names may brake that but I still think it's a minor issue. But I will adjust it for parentheses:

    Code:
    set SHA1FILE=%SHA1FILE:(=%
    set SHA1FILE=%SHA1FILE:)=%
    
    or for your example with DelayedExpansion:
    SET "SHA1FILE=!SHA1FILE:(=!"
    SET "SHA1FILE=!SHA1FILE:)=!"
      My Computer


  8. Posts : 57
    Primary OS: Archlinux with Kde-Plasma5 x86-64. Secondary OS: Windows 8.1 x64. UEFI Setup.
       #8

    Tookeri said:
    Thanks for the input, Midori. I'm sure it'll be useful to someone.

    I'm not going to comment on everything right now as I think most things are minor issues like having a separate .vbs file, using setlocal/endlocal, restyling etc.
    True, i posted these not to incorporate them into the script (I posted my version for that), but to help you and any person wandering around here.
    Tookeri said:
    Regarding the 'Explanation' info I've only used the 'Status' info but both sections from it and the second section is the one with a short explanation, for example (2 probable false positive detections). My script still works and HerdProtect hasn't changed anything in their layout about the 'Status' information. I think the shorter explanation is enough.
    I tested your script again and on a positive(detected) return of the second FOR loop containing the text 'Status:' in the still returns the html code:
    Code:
    <br style="clear:both;">
    This renders the script broken(defect) or when fixed looks ugly.

    I also checked the html page of herdprotect and am not able to find that different short explanation of the detection near 'Status:', just only below it the "Explanation:" which i wrote about.

    Tookeri said:
    My instructions are to select one or a few files in explorer and use the right click context menu to run the script, not by drag and drop. The instructions should be easy to follow even for non-experienced users.
    Yeh, i know. It's just what i use it for, a rightclick menu is not useful to me so i changed it to be more to my taste.
    You can change the error-text though if you wish.
      My Computer


  9. Posts : 1,049
    Windows 7 Pro 32
    Thread Starter
       #9

    Thanks again! I've looked at it now and the second Status info I'm referring to is surprisingly missing from non-zero detections that are NOT false positives Detections that are false positives look like this where the info inside the second span tags is what I meant as the second Status info:
    Code:
    <div class="key">Status:</div><div class="value"><span class="text-green">Clean</span>&nbsp;&nbsp;<span style="color: #999999;">(2 probable false positive detections)</span></div><br style="clear:both;"></div>
    So a little tricky and easy to miss. I must have tested it only on non-zero detections where all detections were classified as false positives. Herdprotect seem to have different HTML codes for different status types. I noticed that for Adware detections the Explanation info is missing but a Description info is there instead. But not always: sometimes there's none of them but a "What does it do?" section instead. So very confusing!

    I'll have to take a closer look at the Explanation info for different detections as well as zero ones and see if I maybe can switch to that.
    But maybe the best approach is to only get the Status(Clean, Adware etc) and ignore the rest including Explanation and Description info. After all, if it's a non-zero detection the report will open in a browser where you'll get all additional information. Luckily the Virustotal info is processed before this error might occur for Herdprotect
      My Computer


 
Page 1 of 3 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 01:40.
Find Us