We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
5,208 Software Downloads

DensityScout build 42

DensityScout is an interesting command-line tool from CERT Austria which can highlight malware-related files on your PC.

The program uses an unusual mathematical technique to figure this out. Or, as the author puts it, DensityScout "calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list".

But the underlying idea is this. Standard unpacked executable files will have an uneven spread of bytes; that is, some byte patterns will occur more often than others due to structures in the file. Malware is often packed, though, which not only conceals the real executable, but also means you'll have a more even distribution of byte usage throughout the file.

So what does this mean? The author recommends launching the program with a line like this.

densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32

(Be sure to read his SANS blog post on the program.)

Which essentially means scan all the executable files in the Windows System32 folder, saving the data to results.txt. Those results are then placed in order, with the lowest and most suspect values at the top. Which in our case started like this:

(0.02417) | c:\Windows\System32\FlashPlayerInstaller.exe
(0.16460) | c:\Windows\System32\DivX.dll
(0.22350) | c:\Windows\System32\iglhsip32.dll
(0.28759) | c:\Windows\System32\AuthFWGP.dll

And as you can see, the program has worked, at least to a degree: the two top values are "intruders", presumably packed (though also entirely legitimate, so of course you must check any highlighted files to see what they really are).

There's no magic solution here, then, and the program's command-line nature mean it's not exactly easy to use. But, if you're an expert who would like a little extra antivirus help then DensityScout could definitely come in handy occasionally.

Platforms: Linux, Windows 7 (32 bit), Windows 7 (64 bit), Windows Vista (32 bit), Windows Vista (64 bit), Windows XP
Version: Build 42
Licence: Freeware
Manufacturer: CERT Austria
Date Added: {ts '2012-04-30 09:58:00'}


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite