This server provides a lookup mechanism to test an executable file against a list of known software applications.

Whitelist Coverage


Application Start End
Adobe Acrobat2015 2015.0 Ongoing
Adobe Acrobat2017 2017.0 Ongoing
Adobe Reader 6.0 11.0.23
Adobe ReaderDC 1500720033 Ongoing
OpenOffice 4.1.0 4.1.3
Google Chrome 22.0.1229.0 Ongoing
Microsoft Office 2007 2016
Mozilla Firefox 3.6.10 Ongoing
Flashplayer Ongoing
Internet Explorer 9 Ongoing
Oracle JavaRE 6 Ongoing
Silverlight 5.1.10411.0 5.1.50918.0


Application Start End
Adobe Reader
Apache 1.3.0 2.4.18
Chromium-browser 37.0.2062.120 51.0.2704.103
Exim 3.36 4.87
Oracle Java 1.6.0 1.8.0
Oracle JavaRE 7 8.92
lighttpd 1.3.11 1.4.39
MongoDX-Linux 86.64 86.64.0
Mozilla Firefox
pure-ftpd 1.0.11 1.0.42
vsftpd 0.9.2 3.0.3

Mac OSX:

Application Start End
Adobe Reader 10.0.0 11.0.10
Adobe ReaderDC 1500720033 Ongoing
Microsoft Office 2011 2016
Mozilla Firefox 10.0 Ongoing
Flashplayer 11.7.700.232 Ongoing
Google Chrome 28.0.1500.71 Ongoing
Oracle JavaRE 7.6 Ongoing
Safari 5.1 Ongoing
Silverlight 1.0.30715.0 5.1.50901


Application Start End
Adobe Reader
Mozilla Firefox 10.0 49.0.2
GET Interface
The GET interface can be used to obtain details on a single MD5, SHA1, SHA256, or SHA512 hash:

If the hash provided matches an entry in our database, the details will be displayed after the provided hash on a single line:

0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}

The details are serialized in JavaScript Object Notation (JSON) for quick integration with your application.

If the hash provided does not match an entry in our database, just the hash is returned on a single line:


Each data source may provide additional details. For example:

7fe2248de77813ce850053ed0ce8a474 {"binary": "1", "mfg_name": "Microsoft Corporation", "signer": "Microsoft Windows", "crc32": "23897C4C", "application_type": "exe", "dirname": "c:\Windows\winsxs\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b", "reference": "os", "filesize": "36864", "os_version": "6.1", "sig_trustfile": "C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\", "strongname_signed": "0", "bit": "32", "source_version": "1.3", "os_mfg": "Microsoft Corporation", "os_name": "Microsoft Windows 7 Ultimate Service Pack 1 (build 7601), 64-bit", "source": "AppInfo", "sha512": "F61BEA0DC281B56B563ED32331938EFC9BF6D7A3C9CAB3273103D2FD95A73C2492E31F2C64119651E5ABFE8F3A881317C3D3B81BAA2229B3CF01E4991EBFE8FC", "fileversion": "6.1.7600.16385", "language": "English", "filename": "ddodiag.exe", "description": "DDODiag is a tool that collects Device Display Object (DDO) information from the system and logs it", "trusted_signature": "1", "sig_timestamp": "07/14/2009 03:17:39", "filetimestamp": "07/14/2009 01:14:16", "product_name": "Microsoft Windows Operating System", "product_version": "6.1.7600.16385"}

In the event of an error, a message beginning with an exclamation (!) will follow the provided hash:

foo ! not an MD5 or SHA1 hash
POST Interface
The post interface can be used to perform bulk queries. A multipart MIME encoded file is expected as input. The file must contain one MD5 or SHA1 hash per line. Lines that begin with a hash (#) will be treated as comments and ignored. The output will include one line for each hash provided in the same format as the GET interface.

Here is an example of a bulk query using the curl utility:

# cat /tmp/test
# curl -F filename.1=@/tmp/test
000000206738748EDD92C4E3D2E823896700F849 {"source": "NIST", "filename": "I05002T2.PFB", "crc32": "EBD105A0", "product_name": "Canvas", "mfg_name": "Deneba Software", "os_name": "Windows XP", "language": "English", "product_version": "8", "os_version": "Pro", "application_type": "Graphic/Drawing", "filesize": "98865", "os_mfg": "Microsoft"}
0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}
000000A9E47BD385A0A3685AA12C2DB6FD727A20 {"source": "NIST", "filename": "femvo523.wav", "crc32": "D749B562", "product_name": "Decimals Made Easy", "mfg_name": "Dorling Kindersley Ltd.", "os_name": "Macintosh 8.1", "language": "English", "product_version": "Ages 8-11", "os_version": "8.1", "application_type": "Mathematics", "filesize": "42748", "os_mfg": "Apple Computer Inc."}
Information in this database has been collected from the following sources:
NSRL : National Software Reference Library. Field descriptions can be found in the Data Formats of the NSRL Reference Data Set (RDS) Distribution paper.

AppInfo : Shadowserver has developed a tool named AppInfo that collects information regarding executable files. Additonal fields include "sha512", "fileversion", "dirname", signature fields "trusted_signature", "signer", "sig_timestamp", "sig_trustfile", "strongnamed_signed" and "bit" to indicate if the binary is 32 or 64 bit. The "reference" field indicates the origin of the scanned file.
Code Samples
#!/usr/bin/env python
#  Written by:  Jose Nazario (
import os
import simplejson
import sys

def whitelisted(hashfile):
    p = os.popen('curl -s -F filename.1=@%s' % hashfile)
    data =
    res = {}
    for line in data.split('\n'):
        l = line.split(' ', 1)
        if len(l) == 2:
            try: res[l[0]] = simplejson.loads(l[1])
            except: pass
    return res

res = whitelisted(sys.argv[1])
print res.keys()


use JSON;
use strict;

=item whitelisted ($hashfile)

Returns a nested hash reference of whitelisted hashes and their decoded
JSON attributes. 

sub whitelisted
	my ($hashfile) = @_;
	my %res;

	my $fh;
	open($fh, "curl -s -F"
		. " 'filename.1=\@$hashfile'|") || die("curl failed: $!");
	while (my $line = <$fh>)
		if ($line =~ /^([^\s]+)\s(.+)$/)
			$res{$1} = decode_json($2);

	return \%res;	

my $res = whitelisted($ARGV[0]);
print join("\n", keys %{$res});

home | terms of service