Air-gapped VirusTotal malware checks
How do you quickly check unknown/suspicious PE samples against VirusTotal on an air-gapped computer, or after taking a computer offline during an incident investigation? This is a pretty common situation in Incident Response teams, and there’s often no clearly defined procedure for this. Here’s a simple way to get the job done.
- Grab a copy of Mscan (see link below), and launch it on the air-gapped Windows machine. Mscan is a pretty simple VirusTotal lookup tool, except for a pretty unusual feature: it supports malware checks on air-gapped computers, through the use of high-density QR codes.
- Select one or more samples you want to look up on VirusTotal, either by dragging them into the listview, or through the file selection dropdown. Mscan will compute hashes for the selection and generate a VirusTotal scan job in the form of a QR-code.
- Using a smartphone camera (no app needed), just scan the QR code to perform the lookup and get the results on the phone.
(*) Mscan consists of both a compiled GUI-based client and an open source Python script - download links and more info at: https://www.metasudo.com/mscan
Written on June 14, 2021