32. Generic Checks

32.1. File Path Checks

The checks listed in the following table apply to any file path string in many different modules.

Attribute

Question

Answer

Indication

Weight

FILE

Is the file located in a temporary directory? (e.g. C:\Temp, C:\Users\user1\AppData\Local\Temp)

Yes

Bad

Medium

FILE

Does the path contain elements in a local language? (e.g. …\Datensicherung, C:\Progs\Zeiterfassung\ze.exe)

Yes

Good

Medium

FILE

Does the file have matches on other systems as well?

Yes, more than 1

Yes, on more than 10

Good

Medium

Yes, on more than 100

Good

High

FILE

Is the file name known on Google? (results point to goodware or known Windows file names)

Yes

Good

Medium

FILE

Is the file name known on Google and results point to malware or hack tools?

Yes

Bad

Medium

FILE

Does an exact Google search for the program path return no results?

Yes

Bad

Low

FILE

Do sandbox reports and antivirus scan reports show up, when you google the filename or specific path name (e.g. GoogleMasterUpdate\gm.exe)

Yes

Bad

Medium

FILE

Does the path look like a “backup” directory or user’s “home folder” on a server drive (e.g. G:\Backup2007\... or N:\Home-Folders\user2345\AppData\Local\Temp)

Yes

Good

Medium

FILE

Is the file located in an %AppData% folder in the user profile?

Yes

Bad

Low

FILE

Is the file located in a folder that should not contain executable files? (e.g. C:\Windows\Fonts, C:\PerfLogs, C:\Users\x123\AppData\Roaming\Microsoft\certs, C:\Windows\inf, C:\Users\Public\Documents)

Yes

Bad

Medium

FILE

Does the file name look like a tool used for administration purposes? (e.g. C:\robocopy-migration.exe)

Yes

Good

Low

FILE

Is the path a mounted / shared network drive? (e.g. \\tsclient\C$, \\server1\C$\temp\m.exe)

Yes

Bad

Medium

FILE

Does the path look like the product is a strange custom software? (e.g. C:\Temp\Arbeitszeitnachweis\AZN-service.exe)

Yes

Good

Medium

FILE

Is the program located directly in a folder that is typically empty and only contains sub directories? (e.g. C:\ProgramData\1.exe, C:\Users\user\AppData\Roaming\1.exe)

Yes

Bad

Medium

FILE

Does the file look as if it has been modified by a user to circumvent security filters? (e.g. Text file reported as executable: Weihnachsgrüße.txt, ChromePortable.txt)

Yes

Good

Low

32.2. Hash Checks

We recommend using Virustotal for the analysis of Hash values.

The checks listed in the following table apply to any hash value reported in many different modules.

Attribute

Question

Answer

Indication

Weight

MD5/SHA1/SHA256

What does the Virustotal.com check show?

Unknown

Suspicious (> 2 matches)

Bad

High

Malicious (> 10 matches)

Bad

High

MD5/SHA1/SHA256

Does Virustotal show other suspicious names in the Additional Information tab – e.g. file names with .vir or .virobj extension, or file names that are hashes

Yes

Bad

Low

MD5/SHA1/SHA256

Is first submission on Virustotal very far in the past? (>7 years)

Yes

Good

Low

MD5/SHA1/SHA256

Are there any negative votes or comments on Virustotal?

Yes

Bad

Medium

MD5/SHA1/SHA256

Does at least one matching AV signature on Virustotal contain one of the following keywords: Hack, Scan, Dump, Password, Webshell

Yes

Bad

High

MD5/SHA1/SHA256

Is the file part of the Microsoft software catalogue? (Virustotal shows that on a green bar above the analysis)

Yes

Good

High

MD5/SHA1/SHA256

Does Virustotal show the bar "probably harmless"?

Yes

Good

High

MD5/SHA1/SHA256

Does the file has a valid software signature from a trusted vendor?

Yes

Good

Medium

MD5/SHA1/SHA256

Does the listed File names contain only legitimate names? (e.g. javaw.exe, java.exe)

Yes

Good

Low

MD5/SHA1/SHA256

Does the listed File names contain hash values?

Yes

Bad

Low

MD5/SHA1/SHA256

Does the Portable Executable (PE, EXE) file have a very old compilation time stamp? (> 10 years)

Yes

Good

Low