32. Generic Checks
32.1. File Path Checks
The checks listed in the following table apply to any file path string in many different modules.
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
FILE |
Is the file located in a temporary directory? (e.g. |
Yes |
Bad |
Medium |
FILE |
Does the path contain elements in a local language? (e.g. |
Yes |
Good |
Medium |
FILE |
Does the file have matches on other systems as well? |
Yes, more than 1 |
||
Yes, on more than 10 |
Good |
Medium |
||
Yes, on more than 100 |
Good |
High |
||
FILE |
Is the file name known on Google? (results point to goodware or known Windows file names) |
Yes |
Good |
Medium |
FILE |
Is the file name known on Google and results point to malware or hack tools? |
Yes |
Bad |
Medium |
FILE |
Does an exact Google search for the program path return no results? |
Yes |
Bad |
Low |
FILE |
Do sandbox reports and antivirus scan reports show up, when you google the filename or specific path name (e.g. |
Yes |
Bad |
Medium |
FILE |
Does the path look like a “backup” directory or user’s “home folder” on a server drive (e.g. |
Yes |
Good |
Medium |
FILE |
Is the file located in an |
Yes |
Bad |
Low |
FILE |
Is the file located in a folder that should not contain executable files? (e.g. |
Yes |
Bad |
Medium |
FILE |
Does the file name look like a tool used for administration purposes? (e.g. |
Yes |
Good |
Low |
FILE |
Is the path a mounted / shared network drive? (e.g. |
Yes |
Bad |
Medium |
FILE |
Does the path look like the product is a strange custom software? (e.g. |
Yes |
Good |
Medium |
FILE |
Is the program located directly in a folder that is typically empty and only contains sub directories? (e.g. |
Yes |
Bad |
Medium |
FILE |
Does the file look as if it has been modified by a user to circumvent security filters? (e.g. Text file reported as executable: |
Yes |
Good |
Low |
32.2. Hash Checks
We recommend using Virustotal for the analysis of Hash values.
The checks listed in the following table apply to any hash value reported in many different modules.
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
MD5/SHA1/SHA256 |
What does the Virustotal.com check show? |
Unknown |
||
Suspicious (> 2 matches) |
Bad |
High |
||
Malicious (> 10 matches) |
Bad |
High |
||
MD5/SHA1/SHA256 |
Does Virustotal show other suspicious names in the |
Yes |
Bad |
Low |
MD5/SHA1/SHA256 |
Is |
Yes |
Good |
Low |
MD5/SHA1/SHA256 |
Are there any negative votes or comments on Virustotal? |
Yes |
Bad |
Medium |
MD5/SHA1/SHA256 |
Does at least one matching AV signature on Virustotal contain one of the following keywords: |
Yes |
Bad |
High |
MD5/SHA1/SHA256 |
Is the file part of the Microsoft software catalogue? (Virustotal shows that on a green bar above the analysis) |
Yes |
Good |
High |
MD5/SHA1/SHA256 |
Does Virustotal show the bar "probably harmless"? |
Yes |
Good |
High |
MD5/SHA1/SHA256 |
Does the file has a valid software signature from a trusted vendor? |
Yes |
Good |
Medium |
MD5/SHA1/SHA256 |
Does the listed |
Yes |
Good |
Low |
MD5/SHA1/SHA256 |
Does the listed |
Yes |
Bad |
Low |
MD5/SHA1/SHA256 |
Does the Portable Executable (PE, EXE) file have a very old compilation time stamp? (> 10 years) |
Yes |
Good |
Low |