Microsoft Windows users seeking more certainty about the security and integrity of downloaded files should take a look at a free new offering from Internet security research firm Team Cymru (pronounced kum-ree) that provides a solid backup to anti-virus scans.
The tool, called “WinMHR,” is an extension of the “Malware Hash Registry” (MHR), an anti-malware service that Team Cymru has offered for several years. The MHR is a large repository of the unique fingerprints or “hashes” that correspond to millions of files that have been identified as malicious by dozens of anti-virus firms and other security experts over the years.
The MHR has been a valuable tool for malware analysts, but until now its Web-based and command-line interface has placed it just outside the reach of most average computers users. WinMHR, on the other hand, is essentially a more user-friendly, point-and-click interface for the traditional MHR service, which Team Cyrmu described this way:
“While your AV posture helps you perform detection based on signatures, heuristics and polymorphism, the MHR provides you additional layer of detection, for known badness. Based on our research, AV packages have trouble detecting every possible piece of malware when it first appears. The MHR leverages multiple AV packages and our own malware analysis sandbox to help aid your detection rate. Coupled with AV, the MHR helps identify known problems so you can take action.”
WinMHR queries the MHR in real time when the user tells it to scan downloaded files (to cut down on resource consumption, the program does not automatically scan downloaded files). If it finds any malicious files, it includes precise information about where the malware is hiding on the PC. The tool also includes a component that runs at Windows startup and scans Windows processes for malware (this feature can be disabled at installation or in the program’s “Preferences” panel).
It is important to understand the limitations of this tool. First, it is designed to supplement — not replace — anti-virus software. Second, the tool doesn’t include the capability to remove bad files that it finds (as readers can see in the screen shot above, the WinMHR detected several malicious files when run on a test machine that I abuse quite a bit).
Finally, while the tool displays the unique cryptographic hashes of any malware threats found on the user’s system, it does not try to classify or name them. If a scan with WinMHR manages to flag a file that fails to generate an alert when the user scans the same file with his or her anti-virus program, the user can find more information about the nature of the file by exporting that hash to a text file and submitting it to a scanning site like VirusTotal.com, which allows visitors to search for malware based on MD5 or SHA1 hashes. Few but the most geeky users are likely to bother with that step, which is why an application like this could be more useful with a simple right-click option to submit a hash lookup at Virustotal. Team Cymru’s Steve Santorelli told me his firm likes that idea for a future version, and that it plans to soon release a Firefox add-on version of the tool.
Despite its limitations, WinMHR can be a useful addition to the security toolbox for Windows users, experts and novices alike.