VT Hash Check

VT Hash Check adds a Windows Explorer context menu that allows you to query the Virus Total file database, view and comment on database results, and optionally upload new files for analysis. Results may be saved in plain text, CSV, or JSON. VT Hash Check comes with TrID built-in for identifying unknown files.

VT Hash Check will interpret its command line arguments as a list of files to check, allowing it to be used in other ways besides right-clicking a file. A user on Wilder's Security Forum suggested combining VT Hash Check with DownloadStatusBar for Firefox, for example. (Newer versions of Firefox do not support this addon, however an updated version from another author is available.)

 

Download|GPG Sig (?)

License:Boredom Software Freeware License
Platform(s): Win32 (XP and newer)
 

 


 

A Picture of the VT Hash Explorer Context Menu Item A Picture of the VT Hash progress window

A Picture of the VT Hash results with a comment window in the foreground

 

Current Version 

The most current version of VT Hash Check is 1.57 (Last update: May 29, 2016).

Changelog

  • 1.56-1.57
    • Fix: Results context menu now functions properly when invoked by the keyboard
    • Fix: File uploads no longer fail if the filename contains Unicode characters
    • Change: Scan date now given in UTC
    • Fix: Updated OpenSSL
    • Add: --view argument
  • 1.55-1.56
    • Fix: Additional hashes now update the window as they are computed
    • Add: Search engine presets
    • Add: Better descriptions how results can be sorted

View complete changelog


Command line parameters

Besides file paths, you may optionally pass several command line arguments:

  • --prefs Opens the settings window instead of checking a file
  • --trid Runs a TrID analysis of the input file(s) instead of a hash check
  • --debug Writes debugging info to the system log. Use a tool like DbgView to view the debug messages.
  • --insecure Disables SSL certificate validation (not recommended)
  • --update Shows the updater window instead of checking a file
  • --about Shows the about window instead of checking a file

TrID mode from the context menu

You can add a context menu item which runs only a TrID analysis by using this registry script:

SSL Certificate Authorities

VT Hash Check ships with a list of trusted CAs. This list is the default list of trusted authorities used by Mozilla products, and includes a number of CAs that Virus Total may never actually use. You may optionally provide your own list of trustworthy CAs. This may be useful in situations where you need to trust a proxy's certificate or allow similarly friendly MITM "attacks" on your SSL connections, but using the --insecure command line parameter is undesirable.

List your trusted authorities in a file named certlist.pem saved to VT Hash's data folder. The data folder is located at %USERDATA%\Boredom Software\VT Hash\. The file format is standard PEM.

Issues

Symptom: Auto-updater doesn't install the latest version Solution: clear your temporary files and/or manually install version 1.52 or later.

Symptom: Crashes immediately with a Win32.Win32Exception; error number and message vary. Solution: Install version 1.55 or later. Explanation: This may be due to running under a service account (i.e. certain security products) or because the current Windows user has no password. VT Hash Check uses the Windows Crypto API to calculate hashes, but is erroneously initializing the whole API, including those parts used to access persistent cryptographic keys of a user. This fails if the user doesn't have a password configured. As of version 1.52 only the hashing API is initialized. For more info refer to the documentation for the CRYPT_VERIFYCONTEXT flag to the CryptAcquireContext function.

Symptom: Crashes immediately with a Win32.Win32Exception; error number: -2146893816; error message: Invalid Algorithm Specified. Solution: Install version 1.55 or later. Explanation: SHA256 is not supported when running under Windows XP. Version 1.55 and later will detect Windows XP and disable SHA256; if SHA256 was previously selected then it's changed to SHA1.

Using the search engine feature

You may optionally define an Internet search engine which you can use to search for results from the context menu:

The search feature being demonstrated

To define a search engine, open the Settings window and enter the URL and display name of the search engine to use. Use the string %PARAMETER% as a placeholder in the URL for the search parameter. For example, Google's URL would be: https://encrypted.google.com/search?q=%PARAMETER%

Further Notes

To use this application you will need a Virus Total API key. VT Hash Check will prompt you to fill in your key the first time you run it. You can get an API key by signing up for a free Virus Total community account. Virus Total limits the number of requests made to its API to 4-10 per minute unless the particular API key has been granted higher limits. VT Hash Check should work just fine with both standard API keys and keys which have been granted higher request limits, but possibly not with the private API2.0.

By default, the SHA256 checksum is computed. MD5 and SHA1 may also be used if SHA256 proves too slow, however MD5 is vulnerable to collisions and is not recommended for operations requiring a high level of security1. SHA1 is similarly not recommended, but to a lesser severity.

When attempting check the hashes of executable files obtained from the Internet or accessed via a network share users are likely to see a warning similar to these:

VT Hash Check does not actually launch or execute any file processed through it. It reads the data from the file, computes the hash based on the data, and then closes it. The data is treated the same way whether the file being hashed is an executable or an image or a text file. As such it is safe to click "Run" in these prompts.

Write a comment

  • Required fields are marked with *.
Commenting rules

If you have trouble reading the code, click on the code itself to generate a new random code.
 
Showing comments 1 to 10 of 42 | Next | Last
Hank
Comment
Re: SSL
Reply #42 on : Wed May 11, 2016, 10:21:58 CDT
Could you bundle the upcoming version with the latest OpenSSL DLL's again? Thanks :)
Andrew
Comment
Re:
Reply #41 on : Wed February 17, 2016, 18:35:38 CST
Could you elaborate? Unicode paths should work out of the box.
Max
Comment
Re:
Reply #40 on : Tue February 16, 2016, 12:55:08 CST
Add work with unicode symbols to path
Andrew
Comment
Sorting
Reply #39 on : Mon September 28, 2015, 02:49:05 CDT
New version adds user-configurable default sorting.
joe
Comment
Re:
Reply #38 on : Wed September 23, 2015, 16:40:07 CDT
thanks, that would be great.

about half the time even a file i'm pretty sure is clean will get a few hits and rather than have to scroll down, it would save time to be able to see who the AV is right away.
Andrew
Comment
Re:
Reply #37 on : Wed September 23, 2015, 11:38:32 CDT
Right now, they are listed in the order which VirusTotal sends them, and you can change the order by clicking on the column headings. A user preference to auto sort shouldn't be difficult.
joe
Comment
another suggestion
Reply #36 on : Wed September 23, 2015, 11:27:01 CDT
Hi,
for the VT results GUI, would it be possible to automatically stack any positive hits at the top and then maybe a blank line and then below that the AVs that returned "clean"? Also alphabetized if possible. Maybe user selected option if others dont want?
Chase
Comment
Re:
Reply #35 on : Sun September 20, 2015, 21:46:32 CDT
Well I switched the Trusted Publishers settings in Local Policy > Software Restriction Policies back to the way I originally had them... tight, the way that puts a "Safer" key in your registry that is notorious for interfering with things. And VTHC is still working just fine.

So apparently I had to switch the settings down low just to do the initial scan, or that test via the green check mark to the right of the API key in the exe. After that you can put the settings back on high and the app continues to work fine.
Andrew
Comment
Re:
Reply #34 on : Sat September 19, 2015, 12:06:45 CDT
Yes, Virus Total keeps a full copy of every file submitted to it, and it shares these files with third-parties like AV companies and researchers. You should not upload any file that you wouldn't want to share publicly.

Since Virus Total keeps every file it receives, re-scanning simply submits the file they already have to up-to-date scanners and updates the public scan results accordingly.

I like the idea of re-checking newly uploaded files. File submissions accepted over the public API (like with VTHC) are given the lowest priority in the scan queue. At times of heavy load it can take up to an hour or more for the file to be scanned. I'll have to think about how best to implement this.

For the moment you can click on the "Permalink to results" link in the file upload window to open the results page in your web browser. Once the scan completes the page should automatically refresh to show the results.
anon
Comment
one more
Reply #33 on : Fri September 18, 2015, 20:38:29 CDT
on this part you said:

"Rescans do not require re-uploading since even the slightest change in the file will alter the hash value being queried."

so you're saying that VT keeps the files?

Only thing i worry about is if a scan was from 4-5 years ago and the scan found nothing then but newer definitions could find something now. I hear that sometimes new malware can get a clean scan before the AV companies get on to them.
Showing comments 1 to 10 of 42 | Next | Last