SigcheckGUI is a free, third-party graphical interface for Microsoft’s official command-line tool, Sysinternals Sigcheck. It lets you easily audit your system for malware by checking if your software files are digitally signed and by automatically cross-referencing them against the VirusTotal database.
This tool helps you quickly find malicious files that may lack valid signatures or have high malware detection rates. Prerequisites Before You Begin
Download Sigcheck: Grab the official command-line executable from Microsoft Learn.
Download SigcheckGUI: Download the portable companion app (available on popular software repositories like gHacks or GitHub).
Setup: Place both files inside the same folder. SigcheckGUI relies entirely on the command-line executable running in the background. Step-by-Step Guide to Scan for Malware 1. Open the Tool and Enable VirusTotal Launch SigcheckGUI.exe.
Locate the VirusTotal or Options settings in the top toolbar or menu. Check the box to Enable VirusTotal lookup.
You must review and agree to the VirusTotal Terms of Service when prompted. 2. Choose Your Scan Profile
The tool provides three primary methods to scan files in its main interface:
Scan Running Processes: Click the dedicated process button in the toolbar to check every active application running in your memory. This is the fastest way to spot active spyware or trojans.
Scan Specific Folders: Select target system directories (such as C:\Windows\System32).
Import File List: Load a pre-configured manifest file to verify specific software packages. 3. Apply Filters to Isolate Threats
Instead of browsing thousands of safe, verified Microsoft files, use the interface filters to isolate suspicious items:
Filter Unsigned Files Only: Enable the -u switch equivalent in the GUI. This hides legitimate, digitally signed files and only reveals unsigned code.
Filter Non-Zero Detections: Filter the view to only show files that have a positive detection rating (e.g., ⁄70 or higher) on VirusTotal. 4. Investigate the Scan Results
The interface generates a neat, sortable data table. Look closely at these specific columns:
Sign Status: Any file marked as “Unsigned” or “Insecure” should be treated with caution.
VirusTotal Ratio: Displays how many antivirus engines flag the file. For example, 0/72 means perfectly safe, while ⁄72 means highly dangerous.
Publisher / Description: Real malware often leaves the company name and software description blank.
Detailed Report: Double-click or right-click any suspicious row to immediately jump to the online VirusTotal analysis report page for that file hash. Helpful Troubleshooting Tips Sigcheck – Sysinternals – Microsoft Learn
Leave a Reply