Malware Hash Registry (MHR)
Free. Forever.
A virus and malware validation force
multiplier
Automate your searches across 30+ databases to catch what your other detection tools have missed
Discover Malware Hash Registry
Identify new or emerging malware that may not be detected by your existing anti-malware tools.
MHR is our free malware validation tool that searches against 30+ antivirus databases and our own malware database to serve as a force multiplier for malware detection and validation. It’s like having an army of malware detectors giving you insight single antivirus solutions cannot.
Researchers and analysts can submit their malware hashes via the MHR portal to get near-real-time results that tell them the percentage of malware databases containing signature matches.
Developers and networks security teams can integrate MHR into existing workflows to augment malware detection.
Malware Hash Registry Features
Access to 8+ years of Team Cymru malware analysis
Support for MD5, SHA-1 and SHA-256
Ask us about our REST API!
Use Cases
Research
Validate file samples quickly and easily by cross-referencing 30+ antivirus databases and Team Cymru’s malware analysis in a single lookup.
Integrate With...
Secure Gateways
Cloud Access Security Brokers
Document Management Systems
For non-commercial use only.
Malware Hash Registry Features
If you are planning on implementing or automating the use of this service in any free or open software, application or host, PLEASE let us know in advance. We would like to adequately plan for capacity and make sure that we can handle the additional load you may generate. Please use the WHOIS-based service for larger queries. We have had instances where large deployments are put in place without informing us in advance, making it difficult to maintain a stable service for the rest of the community.
Attempting to enumerate the malware registry via the public service interface is not only impractical, it is also strictly prohibited. Contact us if the public interface is insufficient for your needs and we may be able to come up with alternative arrangement.
Features
Near-real-time results include file #, Time Stamp (EPOC) and signature match percentage.
Positive hits return the last time we saw the sample along with an approximate antivirus detection percentage.
Cross-references 30+ antivirus databases and 8+ years of Team Cymru malware analysis.
Access via HTTPS, DNS, WHOIS
False positive mitigation
We don’t list items with less than 10% detection rate.
We exclude entries present in the NIST database.
We try to exclude multiple copies of polymorphic malware.
Service Options
Whois (TCP 43) *
DNS (UDP 53) *
HTTPS (TCP 443)
Ask us about our REST API!
* Please be mindful of your risk tolerance and privacy concerns when choosing your transport protocol. DNS is convenient and a standard internet protocol, but does not normally afford the user integrity and confidentiality. HTTPS is recommended for those wanting increased integrity and confidentiality.
Frequently asked questions
If a hash exists in our registry and is identified as malware there are two output values of interest. One is a timestamp when the malware was last seen, the other the rough antivirus package detection rate.
The timestamp is a Unix time aka POSIX time whose value is the number of seconds since midnight January 1, 1970 universal coordinated time (UTC). So for example, 1223478925 seconds since midnight 1970-01-01 is Wednesday, October 8 15:15:25 UTC 2008. With a bash shell in Unix you can map between Unix time and a more readable local time using the command date --date="1970-01-01 <Unix timestamp> secs UTC". Using Perl, you can use this command perl -e 'print scalar localtime(<Unix timestamp>),"\n"'.The antivirus package detection rate is a two or three digit value representing the total detection rate as a percent of all the antivirus packages we ran the malware against.
We use over 30 undisclosed antivirus software packages. In a limited number of cases a smaller number of AV packages will be used.
We employ various collection techniques, such as honeypots and crawlers, as well as leveraging private data sharing agreements with partners.
The malware hash registry is reloaded once per day. Please note that we try to avoid including too much polymorphic malware when possible.
Sorry, we believe it is inappropriate to share actual binary copies of malware with the general public. Additionally, many of our data-sharing agreements would not permit us to re-distribute samples.
The hash registry database is not publicly available for download, but you may contact us about setting up a data sharing agreement should you need a more efficient method of performing queries.
We’re very sorry about that. If you have found a false positive, we do want to know about it so we can fix a potential problem with our system. First, please be absolutely sure it is not malware. There are numerous free online services that will run your malware through multiple antivirus packages. Virus Total is one such example. If you’re sure the file is not malware, you will need to send us a copy of it. Use our main contact address support@cymru.com and please encrypt the file with PGP to our public key in order to avoid any potential mail filtering problems.
We’re glad you asked! Please contact us to let us know in what capacity you think you can be of assistance in terms of data or time. We’re always looking for more partners.
Sure! Please send us the details regarding your AV package. Presently we only support Windows compatible versions of AV products.
Please feel free to contact us as to how we may be able to receive your feed.