|
|
|
Description
|
This server provides a lookup mechanism to test an
executable file against a list of known software applications.
|
|
Whitelist Application Coverage
|
| Application |
Windows |
MacOS |
RedHat |
CentOS |
| Adobe Acrobat Pro |
11.0.7.79 |
10.0.0 - 15.006.30119 |
|
|
| Adobe Flash Player |
10.3.183.48 - 32.0.0.156 |
11.7.700.232 - 32.0.0.255 |
10.1.85.3 - 11.2.202.632 |
10.1.85.3 - 11.2.202.577 |
| Adobe Reader |
6.0 - 11.0.23 |
10.0.0 - 11.0.10 |
7.0.0.2 - 9.5.5.1 |
7.0.0.2 - 9.5.5.1 |
| Adobe Reader 2015 |
2015.006.30060 - 2015.006.30482 |
|
|
|
| Adobe Reader 2017 |
2017.011.30078 - 2017.011.30113 |
|
|
|
| Adobe Reader DC |
15.007.200.33 - 15.009.200.69 |
15.007.200.33 - 15.009.200.69 |
|
|
| Google Chrome |
22.0.1229.0 - 79.0.3945.117 |
28.0.1500.71- 74.0.3729.157 |
|
|
| Java JRE |
6.1 - 8.221 |
7.6 - 8.181 |
7 - 8.92 |
|
| Microsoft Office |
2007 - 2016 |
2011 - 2016 |
|
|
| Mozilla Firefox |
3.6.10 - 72.0.1 |
10.0 - 65.0 |
3.6.9.2 - 49.0.2 |
10.0 - 49.0.2 |
| OpenOffice |
4.1.0 - 4.1.3 |
|
|
|
| Safari |
|
5.1.1 - 13.0.5 |
|
|
| Silverlight |
5.1.10411.0 - 5.1.50918.0 |
1.0.30715 - 5.1.41212 |
|
|
| Application |
RedHat |
CentOS |
| Apache |
1.3.0 - 2.4.18 |
|
| Chromium-Browser |
37.0.2062.120 - 51.0.2704.103 |
|
| Exim |
3.36 - 4.87 |
|
| Httpd |
2.2.15.26 - 2.4.6.40 |
2.2.15.26 - 2.4.6.40 |
| Lighttpd |
1.3.11 - 1.4.39 |
|
| MySQL |
5.5.17.1 - 5.7.73.7 |
|
| MySQL-Server |
5.1.47.4 - 5.7.73.7 |
|
| Nginx |
5.5.17.1 - 5.7.13.1 |
|
| OracleDB |
5.5.17.1 - 5.7.13.1 |
|
| Postfix |
2.6.6.2 - 2.10.1.6 |
|
| PostgreSQL |
8.4.4.2 - 9.2.15.1 |
|
| Pure-ftpd |
1.0.11 - 1.0.42 |
|
| sendmail |
8.14.4.8 - 8.14.7.4 |
|
| sqlite |
3.6.20.1 - 3.7.17.8 |
|
| vsftpd |
0.9.2 - 3.0.3 |
|
|
|
|
Last revised 2/20/20
|
|
Whitelist OS Coverage
|
| OS |
Versions |
bit |
Languages |
| MacOS |
10.4.7 - 10.4.11 |
32 bit |
English |
| MacOS |
10.5.8 - 10.15.3 |
64 bit |
English |
| RedHat Client |
6.4 - 6.7 |
32/64 bit |
English |
| RedHat Server |
6.4 - 6.7 |
32/64 bit |
English |
| RedHat Desktop |
6.4 - 6.7 |
32/64 bit |
English |
| RedHat Client |
7.0 - 7.2 |
64 bit |
English |
| RedHat Server |
7.0 - 7.2 |
64 bit |
English |
| RedHat Desktop |
7.0 - 7.2 |
64 bit |
English |
| CentOS |
6.4 - 6.7 |
32/64 bit |
English |
| CentOS |
7.0 - 7.2 |
64 bit |
English |
| Windows 7 Enterprise |
Base - SP1 |
32/64 bit |
English |
| Windows 7 Professional |
Base - SP1 |
32/64 bit |
English |
| Windows 7 Ultimate |
Base - SP1 |
32/64 bit |
English, Arabic, Chinese (Simplified), Chinese (Traditional), Hebrew, Japanese, Korean, Portuguese, Russian, Thai, Ukrainian |
| Windows 8 Professional |
Base |
32/64 bit |
English, Arabic, Chinese (Simplified), Chinese (Traditional), Korean, Portuguese, Russian, Ukrainian |
| Windows 8.1 Professional |
Base |
32/64 bit |
English, Arabic, Chinese (Simplified), Chinese (Traditional), Russian |
| Windows 10 Professional |
1507 - 1909 |
32/64 bit |
English |
| Windows 10 Home |
1607 |
32/64 bit |
English |
| Windows Server 2003 |
SP2 |
32/64 bit |
English |
| Windows Server 2008 Standard |
Base - SP2 |
32/64 bit |
English |
| Windows Server 2008 R2 |
Base - SP1 |
64 bit |
English, Chinese (Simplified), Korean, Portuguese, Russian |
| Windows Server 2012 Standard |
SP2 |
64 bit |
English, Chinese (Simplified), Chinese (Traditional), Korean, Portuguese, Russian |
| Windows Server 2012 R2 |
SP2 |
64 bit |
English, Chinese (Simplified), Chinese (Traditional), Czech, Korean, Portuguese, Russian |
| Windows Server 2016 |
1607 |
64 bit |
English |
| Windows Vista Ultimate |
SP2 |
32/64 bit |
English |
| Windows XP Professional |
Base - SP3 |
32 bit |
English, Arabic, Chinese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean,
Norwegian, Polish, Portuguese, Russian, Spanish, Swedish, Turkish |
| Windows XP Professional x64 |
SP1 |
64 bit |
English |
| |
GET Interface
|
The GET interface can be used to obtain details on
a single MD5, SHA1, SHA256, or SHA512 hash:
- http://bin-test.shadowserver.org/api?md5=0E53C14A3E48D94FF596A2824307B492
- http://bin-test.shadowserver.org/api?sha1=000000206738748EDD92C4E3D2E823896700F849
If the hash provided matches an entry in our database, the details will be displayed after the provided hash on a single line:
- 0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}
The details are serialized in JavaScript Object Notation (JSON) for quick integration with your application.
If the hash provided does not match an entry in our database, just the hash is returned on a single line:
- 0E53C14A3E48D94FF596A2824307B49A
Each data source may provide additional details. For example:
- 7fe2248de77813ce850053ed0ce8a474 {"binary": "1", "mfg_name": "Microsoft Corporation", "signer": "Microsoft Windows", "crc32": "23897C4C", "application_type": "exe", "dirname": "c:\Windows\winsxs\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b", "reference": "os", "filesize": "36864", "os_version": "6.1", "sig_trustfile": "C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat", "strongname_signed": "0", "bit": "32", "source_version": "1.3", "os_mfg": "Microsoft Corporation", "os_name": "Microsoft Windows 7 Ultimate Service Pack 1 (build 7601), 64-bit", "source": "AppInfo", "sha512": "F61BEA0DC281B56B563ED32331938EFC9BF6D7A3C9CAB3273103D2FD95A73C2492E31F2C64119651E5ABFE8F3A881317C3D3B81BAA2229B3CF01E4991EBFE8FC", "fileversion": "6.1.7600.16385", "language": "English", "filename": "ddodiag.exe", "description": "DDODiag is a tool that collects Device Display Object (DDO) information from the system and logs it", "trusted_signature": "1", "sig_timestamp": "07/14/2009 03:17:39", "filetimestamp": "07/14/2009 01:14:16", "product_name": "Microsoft Windows Operating System", "product_version": "6.1.7600.16385"}
In the event of an error, a message beginning with an exclamation (!) will follow the provided hash:
- foo ! not an MD5 or SHA1 hash
|
|
POST Interface
|
The post interface can be used to perform bulk queries. A multipart MIME encoded file is expected as input. The file must contain one MD5 or SHA1 hash per line. Lines that begin with a hash (#) will be treated as comments and ignored. The output will include one line for each hash provided in the same format as the GET interface.
Here is an example of a bulk query using the curl utility:
# cat /tmp/test
000000206738748EDD92C4E3D2E823896700F849
0E53C14A3E48D94FF596A2824307B492
000000A9E47BD385A0A3685AA12C2DB6FD727A20
# curl http://bin-test.shadowserver.org/api -F filename.1=@/tmp/test
000000206738748EDD92C4E3D2E823896700F849 {"source": "NIST", "filename": "I05002T2.PFB", "crc32": "EBD105A0", "product_name": "Canvas", "mfg_name": "Deneba Software", "os_name": "Windows XP", "language": "English", "product_version": "8", "os_version": "Pro", "application_type": "Graphic/Drawing", "filesize": "98865", "os_mfg": "Microsoft"}
0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}
000000A9E47BD385A0A3685AA12C2DB6FD727A20 {"source": "NIST", "filename": "femvo523.wav", "crc32": "D749B562", "product_name": "Decimals Made Easy", "mfg_name": "Dorling Kindersley Ltd.", "os_name": "Macintosh 8.1", "language": "English", "product_version": "Ages 8-11", "os_version": "8.1", "application_type": "Mathematics", "filesize": "42748", "os_mfg": "Apple Computer Inc."}
|
|
|
Sources
|
Information in this database has been collected from the following sources:
- NSRL : National Software Reference Library. Field descriptions can be found in the Data Formats of the NSRL Reference Data Set (RDS) Distribution paper.
AppInfo : Shadowserver has developed a tool named AppInfo that collects information regarding executable files. Additonal fields include "sha512", "fileversion", "dirname", signature fields "trusted_signature", "signer", "sig_timestamp", "sig_trustfile", "strongnamed_signed" and "bit" to indicate if the binary is 32 or 64 bit. The "reference" field indicates the origin of the
scanned file.
|
|
Code Samples
|
Python:
#!/usr/bin/env python
# Written by: Jose Nazario (jose@arbor.net)
import os
import simplejson
import sys
def whitelisted(hashfile):
p = os.popen('curl -s http://bin-test.shadowserver.org/api -F filename.1=@%s' % hashfile)
data = p.read()
p.close()
res = {}
for line in data.split('\n'):
l = line.split(' ', 1)
if len(l) == 2:
try: res[l[0]] = simplejson.loads(l[1])
except: pass
return res
res = whitelisted(sys.argv[1])
print res.keys()
|
Perl:
#!/usr/bin/perl
use JSON;
use strict;
=item whitelisted ($hashfile)
Returns a nested hash reference of whitelisted hashes and their decoded
JSON attributes.
=cut
sub whitelisted
{
my ($hashfile) = @_;
my %res;
my $fh;
open($fh, "curl -s http://bin-test.shadowserver.org/api -F"
. " 'filename.1=\@$hashfile'|") || die("curl failed: $!");
while (my $line = <$fh>)
{
if ($line =~ /^([^\s]+)\s(.+)$/)
{
$res{$1} = decode_json($2);
}
}
close($fh);
return \%res;
}
my $res = whitelisted($ARGV[0]);
print join("\n", keys %{$res});
|
|
home
| terms of service
| |