| View previous topic :: View next topic |
| Author |
Message |
Kick10
Junior Member
Joined: 16 Apr 2006
Posts: 2
|
 Posted: Sun Apr 07, 2013 1:09 am Post subject: Bitchaos WDX plugin |
 |
|
Content plugin with gentlemen's feature set to determine the malware :)
Is able to identify Windows PE executable files, regardless of extension being used and show the following information on them:
- Is file packed or encrypted (heuristically determines)
- The validity of digital signature
- The name of PE section in which program entry point is located (useful for determining infection with file viruses)
- A list of PE sections and their entropy in percents
- The presence of a file version information(the information itself is not displayed, only the fact of its presence for the convenience of the Advanced Search)
- A summary of the use of some winapi-functions (does application use a network, files, registry, processes, etc). It analyzes the import table, so the dynamically loaded libraries are not considered. List of api functions can be edited in the file funcgroups.json
- Detection of the file by antivirus software. Plugin checks detection using file MD5 hash with online detection service VirusTotal (uses 50+ antiviruses). This function can be very slow with poor internet connection. Detects are cached on the user's computer, if you need to rescan the files, you need to delete the cache file "verdicts" in the plugin folder.
You can also use the plug-in columns for advanced search and file highlighting.
Plz write bug reports here |
|
| Back to top |
|
 |
fenix_productions
Power Member
Joined: 07 Aug 2005
Posts: 1881
Location: Poland
|
| Posted: Sun Apr 07, 2013 3:15 am Post subject: |
|
|
@Kick10
What are the rules for defining that files is OK for AV check?
Should VirusTotal result have no detection at all or is it percentage based?
Will this plugin show how many scanners detected virus in file or just say NO? What about additional columns with the names of antiviruses which decided that my file is not safe any more?
It would be also nice to have separate columns for function groups (easier to read that way).
Could you also provide more groups for average user or info about them? I know that "average" word may not fit to TC user base but searching online for Windows DLLs information about networking is too much hassle - there is no network in funcgroups.json.
Either way: simple but GREAT idea this plugin is!
_________________
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...
#128099 |
|
| Back to top |
|
|
Nigurrath
Member
Joined: 05 Feb 2003
Posts: 177
|
| Posted: Sun Apr 07, 2013 3:11 pm Post subject: |
|
|
as a wlx would also be extremely useful!
_________________
TC8.01 32b, WIN7 32b |
|
| Back to top |
|
|
Kick10
Junior Member
Joined: 16 Apr 2006
Posts: 2
|
| Posted: Tue Apr 09, 2013 10:45 am Post subject: |
|
|
Hello, it av check does the following:
Gets VT response, and checks if one of the following vendors detected file as bad:
Kaspersky
Symantec
BitDefender
NOD32
if so, it returns their detect. If none of them says its malware, then it checks if more then 1/3 of all vendors detects it as malware, and displays verdict of the first vendor the detected it as malware. Otherwise file is considered OK.
btw thanks for your comments, I'm thinking on how to add some features you proposed. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
