Metadata-Version: 2.4
Name: threatcheck-py
Version: 0.1.0
Summary: Identify AV signatures in files using binary search.
Author-email: Francesco Ruvolo <security@werebug.com>
License-Expression: GPL-3.0
Project-URL: Homepage, https://github.com/ruvolof/threatcheck-py
Project-URL: Repository, https://github.com/ruvolof/threatcheck-py
Project-URL: Issues, https://github.com/ruvolof/threatcheck-py/issues
Keywords: security,antivirus,defender,amsi,signature,detection
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: Operating System :: Microsoft :: Windows
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: colorama>=0.4.4
Requires-Dist: requests>=2.25.0
Dynamic: license-file

# ThreatCheck-Py

Python port of [Rasta-Mouse's ThreatCheck](https://github.com/rasta-mouse/ThreatCheck), a tool to identify AV signatures in files.

## Requirements

- Python 3.8 or higher
- Windows OS (for Defender and AMSI scanners)

## Installation

### From Source

```bash
git clone https://github.com/ruvolof/threatcheck-py.git
cd threatcheck-py
pip install -e .
```

## Test Environment Setup

It is recommended to force autosubmission of samples to never send them, or the amount of notification can be overwhelming. This can be forced through group policies:

1) Open Local Group Policy Editor (gpedit.msc)
2) Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
3) Double click on "Send file samples when further analysis is required"
4) Set it to "Enabled" and in the bottom-left panel select "Never send"

All other Defender settings can be left as on as long:

1) There's a path exception in place for the original location of your samples (otherwise real-time protection will prevent the initial loading of the files).
2) (Maybe?) The original location has to be on your C drive. In my experience Defender ignores exception for external drives and I run in problem 1 above.

## Usage

### Command Line Options

```
  -e, --engine      Scanning engine (default: Defender)
                    Options: Defender, AMSI
  
  -f, --file        Analyze a file on disk
  
  -u, --url         Analyze a file from a URL
  
  -d, --directory   Analyze all files in a directory
  
  --debug           Enable debug output
  
  --version         Display version information
  
  --help            Display help message
```

## Credits

- Original ThreatCheck by [Rasta-Mouse](https://github.com/rasta-mouse/ThreatCheck)

## Contributing

Contributions are welcome! Please feel free to submit a Pull Request.
