Jan 212019

Just a short disclaimer: Ok, I know… Excel might not be your tools of choice for querying VirusTotal, but there are valid reasons to use it. So, if you think this is a stupid idea – which it might be after all – please let me have my fun…

Recently one of my clients approached me with a very interesting question: Can VirusTotal be queried from Microsoft Excel? The reason for this request was pretty simple: They deployed a new EDR solution which they were still integrating into their SOC workflow. In the meantime they were searching for a graphical way to check all the newly gathered file hashes against VT.

PS: Did I mention that I now run my own company? It’s called Bee IT Security[German only], just in case you need world class penetration testing or security consulting services.

This sounded interesting to me so I dusted off my VBA skills and started some research… As it turns out, there is a fully documented public VirusTotal API and there are libraries to parse the JSON reply from within VBA.

After a few hours of work I can now finally conclude: Yep, it’s totally possible to run VirusTotal queries from within Excel. And yes, I’m providing the XLSM file for free. Just press the big green “Download” button a few lines down. But you should continue reading this post to get the most out of it.

My VirusTotal Checker built within Microsoft Excel

Getting everything ready

So before you can use the tool you have to get a VirusTotal API key. If you already have one, you can skip this step. Luckily this is pretty easy: Just get yourself a Community account and then visit your profile. There you can copy your API key:

Pro Tip: Yours should not be blured

Next, download my XLSM VirusTotal checker:

After opening it, you have to accept the Macro execution. Always remember: Don’t execute macros from untrusted sources! (But you know me, I’m a nice guy). Just for reference: this version has only been tested on Windows.

Finally switch to the “Config” table and paste your VirusTotal API key into the corresponding line.

Using the file

Great, you are now ready to rock. The big question is how do you use the file efficiently? Use the Importer! This first script helps you to minimise the number of VirusTotal queries by removing duplicate hashes.

So switch to the Importer table and clear its content. Next, paste your hashes in the given format: the first row is your identifier, the second row the MD5 hash of the file to check. Don’t include empty rows as they are considered the end of the list.

Open the actual importer by clicking the button “Import to Hashes Tables” and start the process using the newly opened window.

This task now copies all the hashes that are new to the Hashes table. All already existing hashes are simply marked as duplicate.

Finally querying VirusTotal

Thanks for reading that far: But now we are finally ready to query VirusTotal. So, switch over to the Hashes table.

There you should see all your already queried as well as your newly imported hashes. Whenever you want to recheck a given hash, simply empty its result. Please don’t add any empty lines as again they are used to detect the end of the list.

To start the process press the “Query Virus Total” button and the click start.

As shown above, new results will appear as the query process continues. There are three possible outputs: Malicious, Unknown and Good. I think they are pretty self explaining. Besides every result the actual detection rate is shown.

For more information you can check out the source code. The interesting part is within the VTQuery module. The rest is just code for gluing everything together.

If you have any further question, please leave a comment below.

Dec 272015

Over the past few month it has been quite silent here…

The reason was that I was fully – and I really mean fully – occupied by preparing and taking the Offensive Security Certified Professional (OSCP) exam.

I can now proudly declare that I survived and that I passed the exam on the first attempt! Thanks Offensive Security for consuming so much of my time and nerves ūüėČ


Anyway, expect a few post to come in the following¬†weeks. I already have some ideas floating around…

Aug 262014

We have a client that uses Final Cut Pro 7 on several Mac Pros running Mavericks to edit and capture videos on our flow:rage video storage. They are working with SD material encoded as either IMX 50 or ProRes. They reported that sometimes after stopping the capture within Final Cut Pro 7 using the ESC key the newly created video would not show up.

After¬†hours trying to reliable reproduce the issue I gave up. What I can say is that some capture files (like 1 in 20) stop to grow during the ingest on network volumes. No log entries are created. I think that the network connection or the network stack within the kernel stalls. All network protocols tested (AFP, SMB and NFS) suffered the same problem on multiple servers. The temporary capture file with the “-avpostfix¬†stays within the destination folder¬†with a broken and presumably¬†unrecoverable QuickTime header.

FCP Capture

I further discussed the issue with the main developer of just:in,¬†ToolOnAir’s¬†ingest solution. He confirmed¬†that¬†just:in¬†successfully¬†uses the QuickTime 7 API to write IMX and ProRes encoded video files to network storages.

QT7 Capture

As the underlying QuickTime 7 API is still working as expected I conclude that this issue is another bug affecting Final Cut Pro 7 under Mavericks. I worked around this problem by creating a local watchfolder that moves the captured file automatically to the flow:rage.

Mar 302014

In my post How to Create a RAM Disk ‚Äď The Easy Way I released RamDiskCreator. As the name suggest it’s only duty is to create a RAM disk. The following AppleScript function does the same. I wrote it for Uwe to create two RAM disks at startup.

on createRamDisk(sizeInMB, volumeName)
	set sizeInSectors to round sizeInMB * 1024 * 1024 / 512 rounding up
	set cmd to "diskutil erasevolume HFS+ '" & volumeName & "' `hdiutil attach -nomount ram://" & sizeInSectors & "`"
		do shell script cmd
		return true
	on error
		return false
	end try
end createRamDisk

You can download the source here.

Apr 082013

I do have quite a few customers who still have PHP websites that use the quite old mail function.
This function uses the local sendmail application on UNIX based systems to forward mails.

Therefore if the responsible mailserver for a given domain is not installed on the same server the mail will be rejected by most recipients. Two possible solutions exist:

  1. You can add the webserver as an additional authorized mail server…
  2. ¬†… or configure sendmail to relay mails through your already working mailserver.

I always choose option 2, as it’s easier to configure and maintain. You only have to have a valid SMTP user for the existing mailserver and root access to the webserver.¬†The following steps show how to set mail relaying up:

Install sendmail

Before we can start we have ensure, that sendmail is installed. This can be running the following command:

whereis sendmail

If it is installed the full path to the executable will be printed. Otherwise you can install it using your distributions’s package manager. On Debian-style distributions you can use the following command:

sudo apt-get install sendmail

The installation can take quite some time on slow internet connections.

Configure relay credentials

Now we have to configure the mailserver and the corresponding user credentials. This is done by appending the following line to /etc/mail/authinfo using your favorite text editor.

AuthInfo:your_mail_server.your_domain.tld "U:your_username" "P:your_password"

You have to replace the dummy information.

Updating the sendmail configuration

This step updates the sendmail configuration to include the previously added server credentials. Add the following lines in the file /etc/mail/sendmail.mc after the “FEATURE(`access_db’, , `skip’)dnl” directive.

FEATURE(`authinfo',`hash /etc/mail/authinfo')
define(`SMART_HOST', `your_mail_server.your_domain.tld')

Replace the hostname!

Saving the configuration

Use the following commands to save the configuration. After that you should be able to send mails through PHP.

cd /etc/mail/
sudo makemap hash authinfo < authinfo
sudo m4 sendmail.mc >sendmail.cf
sudo /etc/init.d/sendmail restart
Jan 252013

Mac OS X is built on top of a strong UNIX foundation. Thereby it also inherits its multiuser capabilities. User separation allows us to have different system accounts for different users, making the system more secure by restricting access to system functions for particular users.

However sometimes it is necessary to launch an application as System Administrator (root). As long as you have an administrator account, this can be done using one of the following approaches:

  • If you want to launch a single UNIX (command line) application the sudo command is the way to go. It allows you to run a single command as root. Furthermore it also allows you to spawn a new root shell using the -s¬†switch. Thus you to run several commands as root without having to type sudo all the time.
  • It is also possible to enable the root account. After that you can use the Login Window to login as root. I would strongly recommend to not use this approach as it disables lots of security features.
  • Sometimes you may want an application to always launch as root (or another user). This can be done by setting the POSIX suid bit. If set, this application will run as the POSIX owner independently of who launched it. A good usage example is the passwd command.
  • Finally it is also possible to launch Mac OS applications as root. This can either be done by using the Terminal (by launching the binary located in “App Bundle.app/Contents/MacOS/” or by using my new tool MacSudoer.


MacSudoer is a small droplet written in AppleScript that launches the dropped application as root. This can for example be used to allow OmniDiskSweeper to analyse the whole disk including all system folders.

To install MacSudoer just download the application and drag it to your Dock. Now you can drop any application onto the bomb icon to launch it as root.

For security reasons you have to enter your password before the dropped application is launched. Furthermore not all programs can or should be launched as root. A malfunction of such a privileged application can render your system unusable or delete your data. Therefore only launch trusted applications using MacSudoer.

May 152012

For me a good media archive has to have great preview support.

Think about the following: You’re looking for footage in your archive for a current project but only find several similar tagged files. How do you know what you get?

This is exactly the point where previews help a lot!

Archiware PresStore Archive helps you as it automatically generates previews for some types of media – but it’s rather limited.¬†To work around this limitation custom generators can be added.

Yesterday I released “PresStore Media Converter”, a small toolkit based on FFmpeg, ImageMagick, Poppler and node.js to generate previews of hundreds of file types – including several raw file types.

Here aare some supported types:

  • TIF
  • JPG
  • GIF
  • PNG
  • NEF
  • DNG
  • PDF
  • MP3
  • M4A
  • WAV
  • MXF (partial – depending on codec)
  • MOV (partial – depending on codec)
  • AVI (partial – depending on codec)

I’ve release it as open source under the GPL2 license.
You can download it at Google Code.