Malicious Windows executables detection using VirusTotal API and Random Forest ML model
Clamp is a utility program for detecting malicious Windows executable files (.exe or .dll). It makes use of VirusTotal’s API as well as a local machine learning model for analyzing the files and producing the final result.
There are three important python scripts as part of Clamp.
The analyzer.py acts as the master controller. It is run by the user and contains code capable of invoking various functions residing in the other three scripts. It calls scanner.py for generating the hash sum of the input file. This hash is then fed to the VirusTotal API using the same file.
If a match is found, scanner.py is called to produce the diagnosis and display it.
If no match is found for the hash, pe.py is called for extracting PE headers from the input file and feed them to the ML model. Then, the final result is displayed.
git clone https://github.com/InvincibleJuggernaut/Clamp.gitcd Clamppython3 analyzer.pyNote: This repository doesn’t contain the trained machine learning model due to size constraints. Therefore, this program would only work if the file input by the user is recognized by VirusTotal. Incase the file is relatively new and has never been scanned with VirusTotal before, the program wouldn’t move forward since it requires the ML model for the diagnosis.
Modern anti-virus and anti-malware solutions use a combination of mutliple methodologies in order to provide accurate diagnosis. Clamp is quite simply a basic implementation for detecting malware. It can’t be used to replace the commercial grade anti-virus engines since it makes use of techniques that are rudimentary as well as not enough to account for all possible threats.
The present-day threats are ever-evolving and there is simply no perfect solution. It’s a cat and mouse game with anti-virus vendors having to play catch-up with the malicious actors.