Select Page

SANS tool

The clever folks at SANS have made public the beta version of a whitelist hash database that enables you to look up the MD5 or SHA1 hash of a file to see it has been checked as NOT malcode by a reliable authority. The tool is based on the “National Software Reference Library” from the National Institute of Standards and Technology (NIST). The NSRL database normally comes as a download or CD and isn’t as convenient as a web site lookup.

Among other uses, this could be pressed into service to check a file that might be part of a standard package or a system file that has been tagged as malicious by a malcode scanner if you suspect a false positive. Or, if you’re simply suspicious of a file that isn’t detected by your anti-malware scanner this could be a check.

You can also put in a file name to find its whitelisted MD5 hash.

Windows 7 files are not in the database as of this writing, according to Dr. Johannes Ullrich at SANS.

Tool here: http://isc.sans.org/tools/hashsearch.html

SANS description here.

Tom Kelchner