We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
5,208 Software Downloads

DensityScout build 42

DensityScout is an interesting command-line tool from CERT Austria which can highlight malware-related files on your PC.

The program uses an unusual mathematical technique to figure this out. Or, as the author puts it, DensityScout "calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list".

But the underlying idea is this. Standard unpacked executable files will have an uneven spread of bytes; that is, some byte patterns will occur more often than others due to structures in the file. Malware is often packed, though, which not only conceals the real executable, but also means you'll have a more even distribution of byte usage throughout the file.

So what does this mean? The author recommends launching the program with a line like this.

densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32

(Be sure to read his SANS blog post on the program.)

Which essentially means scan all the executable files in the Windows System32 folder, saving the data to results.txt. Those results are then placed in order, with the lowest and most suspect values at the top. Which in our case started like this:

(0.02417) | c:\Windows\System32\FlashPlayerInstaller.exe
(0.16460) | c:\Windows\System32\DivX.dll
(0.22350) | c:\Windows\System32\iglhsip32.dll
(0.28759) | c:\Windows\System32\AuthFWGP.dll

And as you can see, the program has worked, at least to a degree: the two top values are "intruders", presumably packed (though also entirely legitimate, so of course you must check any highlighted files to see what they really are).

There's no magic solution here, then, and the program's command-line nature mean it's not exactly easy to use. But, if you're an expert who would like a little extra antivirus help then DensityScout could definitely come in handy occasionally.

Platforms: Linux, Windows 7 (32 bit), Windows 7 (64 bit), Windows Vista (32 bit), Windows Vista (64 bit), Windows XP
Version: Build 42
Licence: Freeware
Manufacturer: CERT Austria
Date Added: {ts '2012-04-30 09:58:00'}


IDG UK Sites

Very best Black Friday 2014 tech deals UK: Latest bargains on phones, tablets, laptops and more...

IDG UK Sites

Tech trends 2015: 3D printing grows up

IDG UK Sites

10 mind-blowing Oculus Rift experiments that reveal VR's practical potential

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & other Black Friday tech offers