Check unsigned files at VirusTotal with Sysinternals’ Sigcheck
Microsoft Sysinternals has released Sigcheck 2.0, the latest edition of its digital signature verification tool.
Okay, it’s true, a command line utility which scans for signed executables doesn’t exactly sound interesting. At all. But wait: this version’s new VirusTotal support means it could be a very useful addition to your malware-hunting toolkit.
To get a general feel for how the program works, open a command window, enter something like:
sigcheck c:\windows\system32
and you’ll see the details of every executable file, its digital signature, signing date, publisher, description, product and more.
Life gets more interesting when you start using VirusTotal. Sigcheck requires that you accept the site’s terms and conditions first, but with that done, enter a command like:
sigcheck -e -u -vn -vt c:\windows\system32
Now the program will scan your \Windows\System32 folder for unsigned files, then upload whatever it finds to VirusTotal, before listing anything that at least one of the engines thinks is malware.
It’s not uncommon for lesser known programs to have one or two hits, of course, but you probably shouldn’t have unsigned files in that folder anyway, so investigate anything that turns up. (Or if nothing is listed at all, try pointing Sigcheck at your Downloads folder and you should see a few more alerts.)
This is just the start; Sigcheck 2.0 supports plenty of other command line switches. You can have the program show more version information, recurse subdirectories, query VirusTotal with file hashes, export its data in csv format, and more. Enter sigcheck with no switches for the full list.