Bitchaos WDX plugin

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Kick10
Junior Member
Junior Member
Posts: 2
Joined: 2006-04-16, 17:29 UTC

Bitchaos WDX plugin

Post by *Kick10 »

Content plugin with gentlemen's feature set to determine the malware :)
Is able to identify Windows PE executable files, regardless of extension being used and show the following information on them:

- Is file packed or encrypted (heuristically determines)
- The validity of digital signature
- The name of PE section in which program entry point is located (useful for determining infection with file viruses)
- A list of PE sections and their entropy in percents
- The presence of a file version information(the information itself is not displayed, only the fact of its presence for the convenience of the Advanced Search)
- A summary of the use of some winapi-functions (does application use a network, files, registry, processes, etc). It analyzes the import table, so the dynamically loaded libraries are not considered. List of api functions can be edited in the file funcgroups.json
- Detection of the file by antivirus software. Plugin checks detection using file MD5 hash with online detection service VirusTotal (uses 50+ antiviruses). This function can be very slow with poor internet connection. Detects are cached on the user's computer, if you need to rescan the files, you need to delete the cache file "verdicts" in the plugin folder.
You can also use the plug-in columns for advanced search and file highlighting.

Plz write bug reports here
User avatar
fenix_productions
Power Member
Power Member
Posts: 1979
Joined: 2005-08-07, 13:23 UTC
Location: Poland
Contact:

Post by *fenix_productions »

@Kick10
What are the rules for defining that files is OK for AV check?
Should VirusTotal result have no detection at all or is it percentage based?

Will this plugin show how many scanners detected virus in file or just say NO? What about additional columns with the names of antiviruses which decided that my file is not safe any more?

It would be also nice to have separate columns for function groups (easier to read that way).

Could you also provide more groups for average user or info about them? I know that "average" word may not fit to TC user base but searching online for Windows DLLs information about networking is too much hassle - there is no network in funcgroups.json.

Either way: simple but GREAT idea this plugin is!
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...

#128099
User avatar
Nigurrath
Senior Member
Senior Member
Posts: 225
Joined: 2003-02-05, 12:41 UTC

Post by *Nigurrath »

as a wlx would also be extremely useful!
always latest 32b TC on a WIN10 64b
Kick10
Junior Member
Junior Member
Posts: 2
Joined: 2006-04-16, 17:29 UTC

Post by *Kick10 »

fenix_productions
Hello, it av check does the following:

Gets VT response, and checks if one of the following vendors detected file as bad:

Kaspersky
Symantec
BitDefender
NOD32

if so, it returns their detect. If none of them says its malware, then it checks if more then 1/3 of all vendors detects it as malware, and displays verdict of the first vendor the detected it as malware. Otherwise file is considered OK.

btw thanks for your comments, I'm thinking on how to add some features you proposed.
User avatar
byblo
Senior Member
Senior Member
Posts: 270
Joined: 2005-02-20, 21:13 UTC
Contact:

Post by *byblo »

Hello.

Very useful plugin, thank you :)


Got some question about how it is working:

- Why is it connecting to detectcache.appspot.com instead of virustotal.com in some occasions?

- Is is possible to connect exclusively to virustotal.com ?


- Can you comment the entries from the bitchaos.ini file?
Post Reply