It is true, such a utility especially in wide-spread use, would put a substantial load on their servers. For something to succeed it would require the proper infrastructure in place, and adequate resources, agreed.

I wouldn’t attempt to create a third-party tool such as that, it wouldn’t be fair to VirusTotal to swap their servers in that way.

I suppose that it is at least a good start. I see that it only works when called in via the explorer context menu. I would really like to see a utility that can run as a system process monitoring all files accessed, and check their hashes automatically.

I understand that is a bit more advanced than the tool you’ve developed thus far. While I don’t expect to see any such utility any time in the near future, it would be something of worth.

I would like to see beyond what I mentioned above about the active bloodhound monitoring, that after the program searches the hash, and If the hash doesn’t exist, or the previous scan was beyond a user specified threshold, I would like to see the program (re)upload the file, run the scan, and then return the results. If a positive result is found, then a visual warning could/should be displayed to the user, where as if the file is clean, then the process monitoring and hashing utility would continue on without interrupting the user.

The addresses are listed from http://www.tot-ltd.org/md5db/0000-FFFF, which are the first 4 digits of the md5 hash that you’re looking to verify/check for the presence of malware. The text files are parsed using line feeds, which reduces total size, since the database is uncompressed for ease of use and access. Even though the database is distributed through 65536 files, each section is only a few KB in size.

I currently have a system scanner up and available for download at http://www.tot-ltd.org/TT-Livescan.rar The scantimes are limited almost entirely by the hardware capabilities of the system the scanner is running on, and can process just over 50GB/Min at its peak.

As for the source of the database, one of my previous projects was VTE Virus Scanner. Since its inception, I’ve obtained samples and lists from countless places across the internet. Most recently, I obtain/utilize google’s malware blacklist, clamav.net’s database, honeynet.cz, and a few other sites that publicly list md5 hashes. Personally, I prefer to use jotti to double check samples that I obtain.

Hope this explanation was of some help/use.

How have you made this available for people looking to build up applications around it?

What software are you currently using to generate your database, and, what anti-virus programs are scanning files?

How does one submit a file for scanning, and do you have an API available?

http://www.tot-ltd.org/md5db/FFFF

I emailed him quite a while ago about the same thing, only to be rebuffed. The next database update will include just over 5 million md5 hashes. Since nobody else has the balls to step up to the plate and put their money where their mouth is, I figured I might as well be the first one to do it.