Shadowserver Binary Whitelisting Service

Published: 2010-08-13
Last Updated: 2010-08-13 21:55:21 UTC
by Guy Bruneau (Version: 1)
6 comment(s)

The Shadowserver Foundation has made available a new and free public service to test the MD5's or SHA1's of binaries to see if they are already a know set of software. The initial service is based on the lists from NIST but over time they plan to add other sources. The service is offered via HTTP and the responses via a JSON object.

The service can be accessed here.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

6 comment(s)

Comments

I wonder if they could find benefit exchanging data with Virustotal.com or similar; by this point I'd imagine their catalogue of hashes for both good and bad files.
...are extensive.

I was imagining the catalogue would be extensive.
Russ, maybe I should have added that ISC offers a similar service http://isc.sans.edu/tools/hashsearch.html
Any idea if they have manually stripped out the malicious files that are in the NSRL? Or has NIST started excluding non-known-good files in the NSRL?
For now, the list form NIST should only contain the known good files.
The NIST database does include tools like nmap and nessus that may be considered hacker tools. It also only includes software distributed as CDs/DVDs which means that it doesn't cover patch levels if they are only distributed online.

We did extend our ISC database by some patch levels but need to add more.

Diary Archives