1

I am looking for some kind of security software that scans your computer for all EXE and DLL files, calculates a cryptographic hash for them, and looks each one up in a database, logging all the ones it doesn't recognize to be manually reviewed later.

Or if someone could recommend me a good, well-maintained database of known EXE and DLL file-hashes from a wide source of reputable vendors, that would also be helpful.

I haven't had any luck finding something like this.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
ansichart
  • 777
  • 4
  • 12
  • Check out [OSSEC](http://www.ossec.net/?page_id=19) – RoraΖ Feb 12 '15 at 19:11
  • The problem with a static database is that it would become obsolete once the first Patch Tuesday rolled around. – schroeder Feb 14 '15 at 17:48
  • Schroeder, yea that's true, it would have to be a live database, which would be hard to maintain for a wide range of vendors. Perhaps a feature of this whitelist program should also include checking for Digital Signatures of the files. Then the program could be set to log all the non-trusted or unknown executables. – ansichart Feb 14 '15 at 17:54
  • It's hard enough to get programmers to build something they don't like to use... what do you think happens to the quality of something they *can't* use? – Ben Voigt Feb 14 '15 at 22:47
  • The closest solution i could find would be [Kaspersky Whitelist](http://Kaspersky.com/partners/oem/oem-technology-solutions/kwl). Still have to look more into it. – ansichart Feb 14 '15 at 12:06

2 Answers2

1

You could try another approach, or maybe mix different strategies. From my experience with many customers I can tell you that we have acchieved security by classifyng EXE's with the following methods:

  • Allow EXE/DLL from certain directory (not very often and only combined with other safety strategies like 'no admin rights')
  • Allow EXE/DLL which has a specific certificate (self-signed, Microsoft etc.)
  • Allow EXE/DLL by hash (only for special software)

The software I have used had also the possibility to switch on some 'learning mode'. Afterwards the user starts working for a couple of days and the software 'learns' which EXE/DLL's are safe.

Give it a try: http://egosecure.com/en/

Andre
  • 221
  • 1
  • 5
1

For the database portion of your question, take a look at the NSRL: http://www.nsrl.nist.gov/new.html .

As an alternate approach to the first part, you could try an approach like this: http://www.infoworld.com/article/2609643/security/to-detect-100-percent-of-malware--try-whitelisting--lite-.html .

user_al
  • 72
  • 2