The hashes, shortest way to verify suspected files

Without doubt, scanning files with multi-engine online scanners like virustotal.com gives us the most accurate results about the possibility for a file to be infected because this kind of service will scan the file not with only one AntiVirus, but with more than 40 AntiVirus engines and is one of the best way to assure our computer will not be infected with malware, always the prevention is better than cure. The only problem with such services is the necessary time to upload the file which require some time, especially when their service is overloaded.

A quick  solution to this is to install a small program called HashTab 3.0 , a Windows shell extension able to calculate many hashes of a file : MD5, SHA1, SHA2 and others. Once installed, it’s enough to check in File Properties(right-click menu) the new created Tab : “File Hashes”, where you can see all the hashes the program calculate for a file.

I will take as an example MagicISO.exe file :

missing

and the hashes :

missing

As you can see, for MagicISO.exe the MD5 hash is BBCD4031915BFEC425AF2C4B83E6BC70.

We can submit this hash(or other supported hashes: md5/sha1/sha256)  to virustotal.com-Hash Search and if the file was previously scanned, we can see immediately the results of scanning without needing to upload-and-wait for a file. Even if we search in google.com for a hash, very often will appear results from other sites like www.threatexpert.com/ with a lot of informations about the file.

The rule is if a file is infected with a virus, trojan or other malware, the hashes are modified from the original, and we can compare the hashes to know if a file has undergone changes. Comparing the hashes with the originals provided by the software authors, is the best way for preventing computer infections because nobody can infect a file without altering the hashes.

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *