+91 9404 340 614    gyaanibuddy@gmail.com


Creating a Windows Context Malware Scanner using Python

Last updated on April 7, 2021, 10:39 a.m. by Rutuj Runwal

Image desc
Learn how to build a Windows Context Menu Scanner[WCMS] that will helps you scan suspicious files for malware with just a right-click.

Read more about this on dev.to: Rutuj Runwal - Context Menu Scanner

Why We need WCMS?

Anti-virus softwares are great but at the same time are complicated to use and they hog a lot of memory.An average user wants something faster and lighter.WCMS is capable of scanning many file types without slowing you down.Just right-click and the results appear instantly.Not only that it can automatically delete and block malicious files if found.

Before desiging the above mentioned system we need to dive into Cybersecurity conecpts that will be helpful in its development.

How to classify whether something is malware or not?

A malware is any malicious program that can harm our systems as well as our personal data. To classify if a file is malware or not we will use md5 checksum.You can think of MD5 checksum as a unique value for each file. So what we will do is take a file and calculate it's MD5 checksum as shown below:

import hashlib  
#Hashlib is a useful library that we will be using to generate MD5 of a file.

#Function to calculate byte value of a file.
def file_as_bytes(file):
    with file:
        return file.read()
#The "full_path" is the full path of where the file is present(eg: "C:\Users\user\myfile.exe")
#The "md5_val" now stores the MD5 value of the file whose path was given.
md5_val = hashlib.md5(file_as_bytes(open(full_path, 'rb'))).hexdigest()


Now as we have succesfully generated the MD5 of the file how to find out if it's malicious or not?

For this, first we need to understand that our scanner has two "modes". If a stable internet connection is found, we will use a 3rd party API to get the result else we will use static analysis.

Stable Internet Connection is found

We will use a 3rd party API known as VirusTotal.Virustotal hosts a lot of advanced features but we will use it to just send the MD5 that we calculated earlier and just get the results.[NOTE: An API key is required to get query files in virustotal that can be found here

import vt
#Virustotal Library to query md5

client = vt.Client("Your_API_KEY_HERE") #Initializing a virustotal client object

FILE_ID = md5_val
file = client.get_object("/files/"+str(md5_val)) #Providing the MD5 ofthe file to virustotal

#Now, we can use the "last_analysis_stats" to get the results.
#If its 0, that means the file is safe
if file.last_analysis_stats['malicious'] == 0:
		messagebox.showinfo("Analysis Info", "File is Safe.\nOur Scanners found nothing Malicious")
        print("File is malicious")

To keep things simple, we will just print if the file is malicious or not,My actual program blocks it and deletes the file and this blog is just to get you started.You can innovate upon this in any way you want to.For example you can also use Tkinter to give your program a GUI and get interactive results as I have done here: Github.

Further you can add a lot of offline analysis options, I have mentioned a few that I am using in the flowchart below, this can also help you understand the work-flow of the program.


The source code and any further improvements or additions can be viewed on Rutuj Runwal's github: SourceCode.
You can also connect with me on Rutuj Runwal - Linkedin.

by Rutuj Runwal
Shri Ramdeobaba College of Engineering and Management Nagpur

blog comments powered by Disqus