How to check your downloaded files’ integrity

On some web pages offering programs to download, you may have seen something called an MD5 near the program link, consisting of a long, weird code like 6cbfd919baa7c9e03c8471ae4d8f8bb.

You can use that code to make sure the file you downloaded is what the author intended you to get and wasn’t corrupted during the download process or, worse yet, booby-trapped by someone else. Here’s how.

Windows doesn’t come with an MD5 generator, but Microsoft offers a tool called fciv.exe that you can download for free. Download the file and run it. It will ask where you want to save the extracted files; frankly I’d just put it in c:\windows. It’s easier that way. If you’re running Windows 7 or Vista, you’ll have to right-click the file and select Run as Administrator for it to let you do that.

Then, when you download a file and the web page includes an md5sum, just do the following from a command prompt to verify it:

cd %userprofile%\downloads

fciv.exe downloadedfile.exe

The program will think for a minute, then print an MD5 string. Compare that to the MD5 value on the web page. If they don’t match (and if they don’t, it won’t be off by a little–usually it’ll be off enough that you’ll notice quickly), then don’t install the file.

If you run Linux, you can use the command md5sum to verify your downloads. But if you run Linux, there’s a decent chance you already knew this and know how to use it.

Auditing your own PC

Microsoft’s writeup on fciv.exe an example of how to use it to ensure your Windows system files haven’t been altered near the end, under the heading How to verify the hash values for the files in the Windows directory and in all sub-directories.

This is a good idea, but I take issue with Microsoft’s method because it stores the database in C:\Temp, where it’s prone to getting deleted, and because they don’t tell you when to check and why. Here’s a better way to go about it.

1. Establish a baseline. Do it on a freshly built system, using media that you know hasn’t been tampered with by anyone. That way you know you didn’t start with an infected system.

2. Create a database with the following command:

fciv.exe -add %systemroot% -r -XML c:\windows-hashes.XML

3. Every month, before the monthly Patch Tuesday updates, verify your files with this:

fciv -v -XML c:\windows-hashes.XML

4. After Patch Tuesday, refresh your database (since the hashes for all the patched files will change) with this:

fciv.exe -add %systemroot% -r -XML c:\windows-hashes.XML

Don’t forget to do this every month; otherwise, you’ll fail the checks and (perhaps falsely) conclude your system is compromised.

I don’t view this procedure as an acceptable substitute for running antivirus software, but if you’re not going to run antivirus software–and there are people who refuse to do so–running md5 verification every month, along with blocking known malware domains, is the absolute minimum you should do.

One thought on “How to check your downloaded files’ integrity

  • March 17, 2011 at 9:12 am

    Tripwire (open source) is not available for Windows. This provides some of the same functionality. Nice!

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux