Windows "Send to" VirusTotal/HerdProtect (.bat file)

NikK
NikK Posts: 903 Forum Champion

This is a script I've been working on. Hopefully someone else will find it as useful as I do. It's a batch file that you add to the Windows context menu "Send to". Then in Windows Explorer you select file(s) or folder(s), right-click and select "Send to" => VirusTotal - HerdProtect

 

VirusTotal and HerdProtect are two multi-engine scanners, currently working with 53 vs. 68 AV engines.

 

  1. Download Sigcheck 2.1 from Sysinternals (Published May 2, 2014) and save the exe file either in your path or in the same folder the .bat file in step 2 will be created
  2. Create a new text document and name it CheckVTandHerdProtect.bat (or anything.bat)
  3. Copy everything in the spoiler below and paste it in the .bat file. Then save it.
  4. Go to C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\SendTo  (where USERNAME is your Windows log in name) Or simply press Win+R and type shell:sendto
  5. Add a shortcut to the .bat file

I haven't tested this on a 64-bit OS, but you may have to change the shortcut to use the 32-bit cmd.exe which is located in C:\Windows\SysWOW64 so the shortcut should be like C:\Windows\SysWOW64\cmd.exe /C "C:\CheckVTandHerdProtect.bat"  Note the /C in the middle!
(it may sound strange but the SysWOW64 is actually for 32-bit and the System32 is for 64-bit programs)

 

Now test and right-click a file in Windows Explorer, select the "Send to" menu, then "VirusTotal - HerdProtect" and follow the instructions.

 

The .bat file content is in the spoiler below:

Spoiler
@echo off
REM sigcheck.exe needs to be either in the path or in the "Start in" folder of the shortcut in the Send To menu
REM "Send To" shortcuts are in: C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\SendTo
REM where USERNAME should be replaced with your logged in name in Windows

TITLE=Sigcheck - VirusTotal - HerdProtect
IF [%1]==[] GOTO EMPTY
echo Parameter: %1
IF EXIST %1\* GOTO FOLDER
set PARAMTYPE=FILE
echo File name: %~nx1
GOTO MENU

:FOLDER
set PARAMTYPE=DIRECTORY
echo Directory name: %~nx1

:MENU
IF NOT [%2]==[] ECHO (multiple parameters detected. assuming all parameters is of type '%PARAMTYPE%')
echo.
echo ----------------------------------------------------------------------------------------------
echo Options:
echo F. (for Files) Show signed/unsigned info + Open VT report for unknown/non-zero files
echo D. (for Directories) Only show files that are unknown by VirusTotal or have non-zero detection
echo    + open VT report
echo    Info: Scans executable images only (regardless the extensions of the files)
echo S. (same as option D but with Subdirectories)
echo H. (for files) Search the files SHA1 hash on www.herdprotect.com
echo ----------------------------------------------------------------------------------------------
IF EXIST %1\* ECHO Tip: You can use option F also for directories, to get detailed info for every file
echo NOTE: 
echo      - Unknown files will be uploaded to VirusTotal
echo      - For VirusTotal options(F,D,S) a browser will be opened only for unknown/non-zero files
echo      - For HerdProtect(H) a browser will be opened for EACH FILE! 
echo.
choice /C FDSH /M "Enter one of the choices above (or close this window to cancel)"
echo.

if errorlevel 4 GOTO MENU_H
if errorlevel 3 GOTO MENU_S
if errorlevel 2 GOTO MENU_D
if errorlevel 1 GOTO MENU_F
goto EOF

:MENU_F
echo.
ECHO ***** Processing %1 ... *****
sigcheck -q -h -a -vrs -vt %1
SHIFT
IF NOT [%1]==[] GOTO MENU_F
GOTO END

:MENU_D
echo.
ECHO ***** Processing %1 ... *****
sigcheck -q -u -e -vrs -vt %1
SHIFT
IF NOT [%1]==[] GOTO MENU_D
GOTO END

:MENU_S
echo.
ECHO ***** Processing %1 ... *****
sigcheck -q -u -s -e -vrs -vt %1
SHIFT
IF NOT [%1]==[] GOTO MENU_S
GOTO END

:MENU_H
echo.
REM Get the SHA1 for the file and store the output in a txt file
sigcheck -q -h %1 | findstr "SHA1: " | findstr /V "PESHA1" > tempSHA1.txt
set /p SHA1=<tempSHA1.txt
REM Delete tab, spaces etc so only the SHA1 value remains in the SHA1 variable
set SHA1=%SHA1:	SHA1:	=%
CALL :ToLowerCase SHA1
set SHA1FILE=%~nx1
CALL :ToLowerCase SHA1FILE
REM Replace spaces with minus signs (as this is how herdprotect expects it)
set SHA1FILE=%SHA1FILE: =-%
echo Launching browser: www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
start /D "" www.herdprotect.com/%SHA1FILE%-%SHA1%.aspx
SHIFT
IF NOT [%1]==[] GOTO MENU_H
GOTO END

:ToLowerCase
FOR %%i IN ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j" "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v" "W=w" "X=x" "Y=y" "Z=z") DO CALL SET "%1=%%%1:%%~i%%"
GOTO EOF

:EMPTY
echo Parameter is missing! Right-click on a file/folder and use "Send to" menu.

:END
pause

:EOF

 

 

 

Notes:

  • If you select multiple items, only select objects of the same type, ie either only files or only folders, because the menu option you choose will be reused for all items.
  • If you scan a directory and get the result "No matching files were found." it means that all files had zero detections on VirusTotal and none of the files were "unknown".
  • For unknown(not previously scanned) files on VirusTotal, the scan results may not be available for five or more minutes.
  • If a file hasn't been scanned on HerdProtect the browser will redirect to the KB page of herdProtect
  • When opening a browser for herdProtect no browser is specified, so hopefully the default browser is launched. The command is start /D ""   To specify a specific browser, add it after "" Example: start /D "" firefox.exe
  • For herdProtect a temp file named tempSHA1.txt will be created to be able to move the SHA1 from the sigcheck output into a variable in the .bat file
  • Neither sigcheck nor the .bat file requires admin rights
  • The bat file is tested on Win 7 but will hopefully work on Win 8 as well. For XP there'll be problems with the CHOICE command and maybe more.

 

To see example outputs, click the spoiler below:

Spoiler
Parameter: "C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe"
File name: Foxit Reader.exe

----------------------------------------------------------------------------------------------
Options:
F. (for Files) Show signed/unsigned info + Open VT report for unknown/non-zero files
D. (for Directories) Only show files that are unknown by VirusTotal or have non-zero detection
   + open VT report
   Info: Scans executable images only (regardless the extensions of the files)
S. (same as option D but with Subdirectories)
H. (for files) Search the files SHA1 hash on www.herdprotect.com
----------------------------------------------------------------------------------------------
NOTE:
     - Unknown files will be uploaded to VirusTotal
     - For VirusTotal options(F,D,S) a browser will be opened only for unknown/non-zero files
     - For HerdProtect(H) a browser will be opened for EACH FILE!

Enter one of the choices above (or close this window to cancel) [F,D,S,H]?F


***** Processing "C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe" ... *****
c:\program files\foxit software\foxit reader\Foxit Reader.exe:
        Verified:       Signed
        Signing date:   10:57 2013-07-22
        Publisher:      Foxit Corporation
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    32-bit
        Binary Version: 6.0.6.722
        Original Name:  n/a
        Internal Name:  n/a
        Copyright:      n/a
        Comments:       n/a
        Entropy:        6.684
        MD5:    BA628CB4B2EFE4FDFB327EC84AE4A51C
        SHA1:   6B2F1CBCB7C94212F2FBEB7B32D350EB0E063995
        PESHA1: C1FC944AE3196841780F971FC05D9D431935F649
        PE256:  21B730AD50DD307D9609742A006D03B310CD784F79EDC3903792B2C26FBCB6DC
        SHA256: 8100EB871811667CEE9171B59B59342109BB46EAD75D7AF1CA902F0FEC62F511
        VT detection:   0/48
        VT link:        https://www.virustotal.com/file/8100eb871811667cee9171b59b59342109bb46ead75d7af1ca902f0fec62f511
/analysis/
Press any key to continue . . .


------------------------------------------------------------------------------------------------
Example if you choose option H for herdProtect:

Launching browser: www.herdprotect.com/foxit-reader.exe-6b2f1cbcb7c94212f2fbeb7b32d350eb0e063995.aspx
Press any key to continue . . .

 

 

Comments

  • Simon
    Simon Posts: 2,667 Superuser

    I was wondering where you'd got to.  Smiley Very Happy

     

    That looks a very useful tool, Nick.  thumb.gif

  • NikK
    NikK Posts: 903 Forum Champion

    Hi there Simon, yeah been busy writing code, and this was one of my projects Smiley Wink

     

    I'm worried if it'll work in 64-bit. If anyone has problems let me know and I'll try and help.

  • Simon
    Simon Posts: 2,667 Superuser

    I don't think this is something I would use too regularly, but I've just set it up for testing on my Win 7 machine (32bit), and I'm getting this at the bottom of the screen when pressing any of the options:

     

    'sigcheck' is not recognized as an internal or external command,
    operable program or batch file.
    Press any key to continue . . .


    What am I doing wrong?

  • Simon
    Simon Posts: 2,667 Superuser

    That's better, it works now.  hatoff.gif

  • Thanks a ton, was about to create something like this myself but decided to search first. Works perfect, and I already had sigcheck in my path beforehand. Kudos.
This discussion has been closed.
Pricing & Product Info