Identify AV signatures in files using binary search.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
ThreatCheck-Py
Started as a python port of Rasta-Mouse's ThreatCheck.
A tool to find AV signatures in files.
Requirements
- Python 3.8 or higher
- Windows OS (for Defender and AMSI scanners)
Supported Scanners
File Scanners
- Defender
- Amsi
- Clamav
Process Scanners:
- Yara
Installation
From PyPi
pip install threatcheck-py
From Source
git clone https://github.com/ruvolof/threatcheck-py.git
cd threatcheck-py
pip install -e .
Usage
Command Line Options
$ threatcheck --help
usage: threatcheck [-h] [-e {defender,amsi,clamav,yara}] [-f FILE] [-u URL] [-d DIRECTORY] [-p PID] [-r RULES]
[--debug] [--version]
Identify AV signatures in files
options:
-h, --help show this help message and exit
-e {defender,amsi,clamav,yara}, --engine {defender,amsi,clamav,yara}
Scanning engine (default: defender)
-f FILE, --file FILE Analyze a file on disk
-u URL, --url URL Analyze a file from a URL
-d DIRECTORY, --directory DIRECTORY
Analyze all files in a directory
-p PID, --pid PID Analyze a process by PID
-r RULES, --rules RULES
Path to YARA rules directory. Will recursively search for all .yar and .yara files.
--debug Enable debug output
--version show program's version number and exit
Defender Test Environment Setup
It is recommended to force autosubmission of samples to never send them, or the amount of notification can be overwhelming. This can be forced through group policies:
- Open Local Group Policy Editor (gpedit.msc)
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
- Double click on "Send file samples when further analysis is required"
- Set it to "Enabled" and in the bottom-left panel select "Never send"
All other Defender settings can be left on as long:
- There's a path exception in place for the original location of your samples (otherwise real-time protection will prevent the initial loading of the files).
- (Maybe?) The original location has to be on your C drive. In my experience Defender ignores exception for external drives and I run in problem 1 above.
Credits
- Original ThreatCheck by Rasta-Mouse.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file threatcheck_py-0.3.0.tar.gz.
File metadata
- Download URL: threatcheck_py-0.3.0.tar.gz
- Upload date:
- Size: 24.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1a9628630a090551947e43b2dade65b37dee4187c4c9f054289053ee6d9fd0b1
|
|
| MD5 |
9252a14c3b2e3a386f3f0ac69a45b6f3
|
|
| BLAKE2b-256 |
5492c93754c4a7d710a0b26656fafaef0bed5f598d814bfcca5a1413c0c83ad7
|
Provenance
The following attestation bundles were made for threatcheck_py-0.3.0.tar.gz:
Publisher:
python-publish.yml on ruvolof/threatcheck-py
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
threatcheck_py-0.3.0.tar.gz -
Subject digest:
1a9628630a090551947e43b2dade65b37dee4187c4c9f054289053ee6d9fd0b1 - Sigstore transparency entry: 984851816
- Sigstore integration time:
-
Permalink:
ruvolof/threatcheck-py@724448710fe888ed0f2687a0e443ec500bb43f19 -
Branch / Tag:
refs/tags/0.3.0 - Owner: https://github.com/ruvolof
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@724448710fe888ed0f2687a0e443ec500bb43f19 -
Trigger Event:
release
-
Statement type:
File details
Details for the file threatcheck_py-0.3.0-py3-none-any.whl.
File metadata
- Download URL: threatcheck_py-0.3.0-py3-none-any.whl
- Upload date:
- Size: 27.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b64845edcd733ce8ff6dfd3d51623563f0db2df0fb59850f6fc70441dad500a8
|
|
| MD5 |
c5fa9eefbad934b2ac717682f42b9303
|
|
| BLAKE2b-256 |
b719d6aa5c955b8cf03635bd0783100d88e0be378182e436a32335a61c6630b5
|
Provenance
The following attestation bundles were made for threatcheck_py-0.3.0-py3-none-any.whl:
Publisher:
python-publish.yml on ruvolof/threatcheck-py
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
threatcheck_py-0.3.0-py3-none-any.whl -
Subject digest:
b64845edcd733ce8ff6dfd3d51623563f0db2df0fb59850f6fc70441dad500a8 - Sigstore transparency entry: 984851819
- Sigstore integration time:
-
Permalink:
ruvolof/threatcheck-py@724448710fe888ed0f2687a0e443ec500bb43f19 -
Branch / Tag:
refs/tags/0.3.0 - Owner: https://github.com/ruvolof
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@724448710fe888ed0f2687a0e443ec500bb43f19 -
Trigger Event:
release
-
Statement type:
