Description
This server provides a lookup mechanism to test an executable file against a list of known software applications.

Whitelist Application Coverage

Application Windows MacOS RedHat CentOS
Adobe Acrobat Pro 11.0.7.79 10.0.0 - 15.006.30119
Adobe Flash Player 10.3.183.48 - 32.0.0.156 11.7.700.232 - 32.0.0.255 10.1.85.3 - 11.2.202.632 10.1.85.3 - 11.2.202.577
Adobe Reader 6.0 - 11.0.23 10.0.0 - 11.0.10 7.0.0.2 - 9.5.5.1 7.0.0.2 - 9.5.5.1
Adobe Reader 2015 2015.006.30060 - 2015.006.30482
Adobe Reader 2017 2017.011.30078 - 2017.011.30113
Adobe Reader DC 15.007.200.33 - 15.009.200.69 15.007.200.33 - 15.009.200.69
Google Chrome 22.0.1229.0 - 79.0.3945.117 28.0.1500.71- 74.0.3729.157
Java JRE 6.1 - 8.221 7.6 - 8.181 7 - 8.92
Microsoft Office 2007 - 2016 2011 - 2016
Mozilla Firefox 3.6.10 - 72.0.1 10.0 - 65.0 3.6.9.2 - 49.0.2 10.0 - 49.0.2
OpenOffice 4.1.0 - 4.1.3
Safari 5.1.1 - 13.0.5
Silverlight 5.1.10411.0 - 5.1.50918.0 1.0.30715 - 5.1.41212

Application RedHat CentOS
Apache 1.3.0 - 2.4.18
Chromium-Browser 37.0.2062.120 - 51.0.2704.103
Exim 3.36 - 4.87
Httpd 2.2.15.26 - 2.4.6.40 2.2.15.26 - 2.4.6.40
Lighttpd 1.3.11 - 1.4.39
MySQL 5.5.17.1 - 5.7.73.7
MySQL-Server 5.1.47.4 - 5.7.73.7
Nginx 5.5.17.1 - 5.7.13.1
OracleDB 5.5.17.1 - 5.7.13.1
Postfix 2.6.6.2 - 2.10.1.6
PostgreSQL 8.4.4.2 - 9.2.15.1
Pure-ftpd 1.0.11 - 1.0.42
sendmail 8.14.4.8 - 8.14.7.4
sqlite 3.6.20.1 - 3.7.17.8
vsftpd 0.9.2 - 3.0.3

Last revised 2/20/20

Whitelist OS Coverage

OS Versions bit Languages
MacOS 10.4.7 - 10.4.11 32 bit English
MacOS 10.5.8 - 10.15.3 64 bit English
RedHat Client 6.4 - 6.7 32/64 bit English
RedHat Server 6.4 - 6.7 32/64 bit English
RedHat Desktop 6.4 - 6.7 32/64 bit English
RedHat Client 7.0 - 7.2 64 bit English
RedHat Server 7.0 - 7.2 64 bit English
RedHat Desktop 7.0 - 7.2 64 bit English
CentOS 6.4 - 6.7 32/64 bit English
CentOS 7.0 - 7.2 64 bit English
Windows 7 Enterprise Base - SP1 32/64 bit English
Windows 7 Professional Base - SP1 32/64 bit English
Windows 7 Ultimate Base - SP1 32/64 bit English, Arabic, Chinese (Simplified), Chinese (Traditional), Hebrew, Japanese, Korean, Portuguese, Russian, Thai, Ukrainian
Windows 8 Professional Base 32/64 bit English, Arabic, Chinese (Simplified), Chinese (Traditional), Korean, Portuguese, Russian, Ukrainian
Windows 8.1 Professional Base 32/64 bit English, Arabic, Chinese (Simplified), Chinese (Traditional), Russian
Windows 10 Professional 1507 - 1909 32/64 bit English
Windows 10 Home 1607 32/64 bit English
Windows Server 2003 SP2 32/64 bit English
Windows Server 2008 Standard Base - SP2 32/64 bit English
Windows Server 2008 R2 Base - SP1 64 bit English, Chinese (Simplified), Korean, Portuguese, Russian
Windows Server 2012 Standard SP2 64 bit English, Chinese (Simplified), Chinese (Traditional), Korean, Portuguese, Russian
Windows Server 2012 R2 SP2 64 bit English, Chinese (Simplified), Chinese (Traditional), Czech, Korean, Portuguese, Russian
Windows Server 2016 1607 64 bit English
Windows Vista Ultimate SP2 32/64 bit English
Windows XP Professional Base - SP3 32 bit English, Arabic, Chinese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean,
Norwegian, Polish, Portuguese, Russian, Spanish, Swedish, Turkish
Windows XP Professional x64 SP1 64 bit English

GET Interface
The GET interface can be used to obtain details on a single MD5, SHA1, SHA256, or SHA512 hash:
http://bin-test.shadowserver.org/api?md5=0E53C14A3E48D94FF596A2824307B492
http://bin-test.shadowserver.org/api?sha1=000000206738748EDD92C4E3D2E823896700F849

If the hash provided matches an entry in our database, the details will be displayed after the provided hash on a single line:

0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}

The details are serialized in JavaScript Object Notation (JSON) for quick integration with your application.

If the hash provided does not match an entry in our database, just the hash is returned on a single line:

0E53C14A3E48D94FF596A2824307B49A

Each data source may provide additional details. For example:

7fe2248de77813ce850053ed0ce8a474 {"binary": "1", "mfg_name": "Microsoft Corporation", "signer": "Microsoft Windows", "crc32": "23897C4C", "application_type": "exe", "dirname": "c:\Windows\winsxs\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b", "reference": "os", "filesize": "36864", "os_version": "6.1", "sig_trustfile": "C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat", "strongname_signed": "0", "bit": "32", "source_version": "1.3", "os_mfg": "Microsoft Corporation", "os_name": "Microsoft Windows 7 Ultimate Service Pack 1 (build 7601), 64-bit", "source": "AppInfo", "sha512": "F61BEA0DC281B56B563ED32331938EFC9BF6D7A3C9CAB3273103D2FD95A73C2492E31F2C64119651E5ABFE8F3A881317C3D3B81BAA2229B3CF01E4991EBFE8FC", "fileversion": "6.1.7600.16385", "language": "English", "filename": "ddodiag.exe", "description": "DDODiag is a tool that collects Device Display Object (DDO) information from the system and logs it", "trusted_signature": "1", "sig_timestamp": "07/14/2009 03:17:39", "filetimestamp": "07/14/2009 01:14:16", "product_name": "Microsoft Windows Operating System", "product_version": "6.1.7600.16385"}

In the event of an error, a message beginning with an exclamation (!) will follow the provided hash:

foo ! not an MD5 or SHA1 hash
POST Interface
The post interface can be used to perform bulk queries. A multipart MIME encoded file is expected as input. The file must contain one MD5 or SHA1 hash per line. Lines that begin with a hash (#) will be treated as comments and ignored. The output will include one line for each hash provided in the same format as the GET interface.

Here is an example of a bulk query using the curl utility:

# cat /tmp/test
000000206738748EDD92C4E3D2E823896700F849
0E53C14A3E48D94FF596A2824307B492
000000A9E47BD385A0A3685AA12C2DB6FD727A20
# curl http://bin-test.shadowserver.org/api -F filename.1=@/tmp/test
000000206738748EDD92C4E3D2E823896700F849 {"source": "NIST", "filename": "I05002T2.PFB", "crc32": "EBD105A0", "product_name": "Canvas", "mfg_name": "Deneba Software", "os_name": "Windows XP", "language": "English", "product_version": "8", "os_version": "Pro", "application_type": "Graphic/Drawing", "filesize": "98865", "os_mfg": "Microsoft"}
0E53C14A3E48D94FF596A2824307B492 {"source": "NIST", "filename": "00br2026.gif", "crc32": "AA6A7B16", "product_name": "Gallery", "mfg_name": "Corel Corporation", "os_name": "Windows NT", "language": "English", "product_version": "750,000", "os_version": "Generic", "application_type": "Graphic/Drawing", "filesize": "2226", "os_mfg": "Microsoft"}
000000A9E47BD385A0A3685AA12C2DB6FD727A20 {"source": "NIST", "filename": "femvo523.wav", "crc32": "D749B562", "product_name": "Decimals Made Easy", "mfg_name": "Dorling Kindersley Ltd.", "os_name": "Macintosh 8.1", "language": "English", "product_version": "Ages 8-11", "os_version": "8.1", "application_type": "Mathematics", "filesize": "42748", "os_mfg": "Apple Computer Inc."}
Sources
Information in this database has been collected from the following sources:
NSRL : National Software Reference Library. Field descriptions can be found in the Data Formats of the NSRL Reference Data Set (RDS) Distribution paper.

AppInfo : Shadowserver has developed a tool named AppInfo that collects information regarding executable files. Additonal fields include "sha512", "fileversion", "dirname", signature fields "trusted_signature", "signer", "sig_timestamp", "sig_trustfile", "strongnamed_signed" and "bit" to indicate if the binary is 32 or 64 bit. The "reference" field indicates the origin of the scanned file.
Code Samples
Python:
#!/usr/bin/env python
#  Written by:  Jose Nazario (jose@arbor.net)
import os
import simplejson
import sys

def whitelisted(hashfile):
    p = os.popen('curl -s http://bin-test.shadowserver.org/api -F filename.1=@%s' % hashfile)
    data = p.read()
    p.close()
    res = {}
    for line in data.split('\n'):
        l = line.split(' ', 1)
        if len(l) == 2:
            try: res[l[0]] = simplejson.loads(l[1])
            except: pass
    return res

res = whitelisted(sys.argv[1])
print res.keys()

Perl:

#!/usr/bin/perl
use JSON;
use strict;

=item whitelisted ($hashfile)

Returns a nested hash reference of whitelisted hashes and their decoded
JSON attributes. 

=cut
sub whitelisted
{
	my ($hashfile) = @_;
	my %res;

	my $fh;
	open($fh, "curl -s http://bin-test.shadowserver.org/api -F"
		. " 'filename.1=\@$hashfile'|") || die("curl failed: $!");
	while (my $line = <$fh>)
	{
		if ($line =~ /^([^\s]+)\s(.+)$/)
		{
			$res{$1} = decode_json($2);
		}
	}
	close($fh);

	return \%res;	
}

my $res = whitelisted($ARGV[0]);
print join("\n", keys %{$res});

home | terms of service