Content plugin with gentlemen's feature set to determine the malware :)
Is able to identify Windows PE executable files, regardless of extension being used and show the following information on them:
- Is file packed or encrypted (heuristically determines)
- The validity of digital signature
- The name of PE section in which program entry point is located (useful for determining infection with file viruses)
- A list of PE sections and their entropy in percents
- The presence of a file version information(the information itself is not displayed, only the fact of its presence for the convenience of the Advanced Search)
- A summary of the use of some winapi-functions (does application use a network, files, registry, processes, etc). It analyzes the import table, so the dynamically loaded libraries are not considered. List of api functions can be edited in the file funcgroups.json
- Detection of the file by antivirus software. Plugin checks detection using file MD5 hash with online detection service VirusTotal (uses 50+ antiviruses). This function can be very slow with poor internet connection. Detects are cached on the user's computer, if you need to rescan the files, you need to delete the cache file "verdicts" in the plugin folder.
You can also use the plug-in columns for advanced search and file highlighting.
Plz write bug reports here
Bitchaos WDX plugin
Moderators: petermad, Stefan2, white, Hacker
- fenix_productions
- Power Member
- Posts: 1979
- Joined: 2005-08-07, 13:23 UTC
- Location: Poland
- Contact:
@Kick10
What are the rules for defining that files is OK for AV check?
Should VirusTotal result have no detection at all or is it percentage based?
Will this plugin show how many scanners detected virus in file or just say NO? What about additional columns with the names of antiviruses which decided that my file is not safe any more?
It would be also nice to have separate columns for function groups (easier to read that way).
Could you also provide more groups for average user or info about them? I know that "average" word may not fit to TC user base but searching online for Windows DLLs information about networking is too much hassle - there is no network in funcgroups.json.
Either way: simple but GREAT idea this plugin is!
What are the rules for defining that files is OK for AV check?
Should VirusTotal result have no detection at all or is it percentage based?
Will this plugin show how many scanners detected virus in file or just say NO? What about additional columns with the names of antiviruses which decided that my file is not safe any more?
It would be also nice to have separate columns for function groups (easier to read that way).
Could you also provide more groups for average user or info about them? I know that "average" word may not fit to TC user base but searching online for Windows DLLs information about networking is too much hassle - there is no network in funcgroups.json.
Either way: simple but GREAT idea this plugin is!
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...
#128099
#128099
Hello, it av check does the following:fenix_productions
Gets VT response, and checks if one of the following vendors detected file as bad:
Kaspersky
Symantec
BitDefender
NOD32
if so, it returns their detect. If none of them says its malware, then it checks if more then 1/3 of all vendors detects it as malware, and displays verdict of the first vendor the detected it as malware. Otherwise file is considered OK.
btw thanks for your comments, I'm thinking on how to add some features you proposed.