News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • 1000006: Checksum Verification of Downloaded Files

    Home Forums Knowledge Base 1000006: Checksum Verification of Downloaded Files

    Tagged: 

    Viewing 11 reply threads
    • Author
      Posts
      • #123155 Reply
        Kirsty
        Da Boss

        AKB1000006: Checksum Verification of Downloaded Files

        by Kirsty

        Published 4 July 2017 | Rev 1.0

         
        What are Checksums?
        When files are downloaded from the internet, it is possible to check the files for integrity and data corruption errors, by verifying their checksum, before you run the file.

        Checksums are often published by authors, and if a computed checksum matches the given checksum, it is probable that the file has not been corrupted or accidentally altered.

        If a download is from a public source, rather than a password-protected site log-in, this precaution reduces the risk of exposing your computer to tampered or corrupted files.

         
        Where is the Checksum found?
        Often, checksums are published on the download pages, and may be called a File Hash or similar. For instance, on KB4012558, the information is visible after clicking on the down arrow at “File Hash” near the bottom of the page; Ubuntu builds have the numbers on their web pages.

         
        Which Checksum Type?
        Checksums differ, according to their type. SHA1 has been deprecated being less than secure, but is still offered by Microsoft and others.

        The new standard is SHA256, but SHA-3 family already exists. MD5 is now only considered suitable for checks against corrupt downloads, not for file security, due to extensive vulnerabilities. Other options also exist, but are less commonly used.

         
        Calculate a Checksum to Compare:
        There are several ways to generate checksums, to verify against the published checksum. Some are:

        1) PowerShell
        Using PowerShell 4.0 or later, the cmdlet “get-filehash [drive]:\[folder]\[filename]” gives the result as a SHA256 checksum by default, which may take some time, and other types can also be obtained with the use of parameters.
        (For more about Powershell, see PowerShell- Learning Virtually on MV Academy & MSDN Channel 9 from Videos, eBook)

        2) MD5 & SHA Checksum Utility
        This popular utility for checking checksums is available as a limited-option free or a full-featured paid version, and is referred to by many sites discussing this subject. It is also Woody’s go-to solution.

        3) Multihasher
        This is another freeware utility, available from the author’s site and also from the major download sites. MrBrian uses this one.

        4) 7-Zip
        7-Zip is a file archiver, which has the option to calculate a checksum. Open the program, navigate to the downloaded file, right click on the file, select Calculate Checksum. Alternatively, right click on the file, click 7-Zip, then Open Archive, where you can also right click the file, to select Calculate Checksum.

         
        What about Digital Signatures:
        Digital signatures on files can be verified by right-clicking on the file from Explorer, click Properties, select the Digital Signature tab, select the signer’s name, then click on Details. View Certificate is available in the new window that opens. This is for both the signer and the counter-signer.

         
        Really Advanced Checking – Verifying Cyrptographically Signed Hashes:
        To protect from tampered hashes, such as in hacked websites, some checksums (hashes) are cryptographically signed.

         
        Additional resources:
        bhoover.com
        maketecheasier.com

        7 users thanked author for this post.
      • #123201 Reply
        AlexEiffel
        AskWoody_MVP

        To add the checksum to context menu in Windows:

        http://winaero.com/blog/add-file-hash-context-menu-windows-10/

        No, you don’t have any reason no more to not check the checksum. If you find it too hard to right-click on the file and select the checksum you want, there is nothing else that can help you.

      • #123818 Reply
        anonymous
        Guest

        Or you can just use a Windows utility without the need for anything else.

        Open a command prompt window and type:

        certutil -hashfile [path and file name] [hash type]

        Make sure the hash type is typed in caps, you’ll get an error if you accidentally use lowercase.

        • #124101 Reply
          Kirsty
          Da Boss

          Thanks @anon #123818
          Details of certutil.exe can be found here

      • #123820 Reply
        anonymous
        Guest

        Woody,

        This looks like a useful precaution.  But I have not been able to find out how to use the recommended program MDS/SHA with a downloaded file to do a checksum, e.g., how does one get the legitimate checksum to compare against the one generated by MDS/SHA?

        • #123860 Reply
          Kirsty
          Da Boss

          The file’s checksum is provided by many software developers.

          Where is the Checksum found?
          Often, checksums are published on the download pages, and may be called a File Hash or similar.

          i.e., from Multihasher’s download page (linked above)

          multihasher

          Attachments:
      • #123827 Reply
        anonymous
        Guest

        Let’s not forget that it is always important to consider the source of anything downloaded from the Internet.  Verification of hashes/checksums is useful but it not a guarantee that the downloaded item is free of malware.  It only serves to establish that the download received is the content that the person/service/company/hosting website intended to distribute.  One should also consider the possibility that if a site has been compromised to serve up a tampered file then the hashes/checksums posted on the site for verification purposes could also have been altered to match with the compromised file.  Even if hashes/checksums verify one should consider running a scanner on the downloaded item as an added measure of security.  Again, consider the source.  A high risk source justifies extra caution.

        There is always an element of risk involved and we are, unfortunately, substantially dependent on the security precautions of the data providers to ensure the integrity of offered downloads.

        3 users thanked author for this post.
        • #123844 Reply
          anonymous
          Guest

          Is one supposed to run a checksum on every downloaded file or only on .exe files?

          • #123846 Reply
            anonymous
            Guest

            IMHO it makes sense to verify checksums on all downloaded files, if only to make sure that the download data was not corrupted during the process.

      • #123975 Reply
        JohnW
        AskWoody Plus

        Another handy free utility for this task, courtesy of NirSoft, a reliable source of utilities.

        HashMyFiles v2.23

        http://www.nirsoft.net/utils/hash_my_files.html

         

        2 users thanked author for this post.
        • #124139 Reply
          Spiff
          AskWoody Lounger

          In reply to JohnW, July 9, 2017,

          You mention NirSoft’s HashMyFiles.
          However, NirSoft’s HashMyFiles calculates only MD5 and SHA1 hashes.
          As mentioned by Kirsty, MD5 and SHA1 hashes are no longer suitable for checking file security.
          Therefore, NirSoft’s HashMyFiles is not suitable for checking file security.

      • #124138 Reply
        Spiff
        AskWoody Lounger

        In reply to AKB1000006: Checksum Verification of Downloaded Files, by Kirsty, published 4 July 2017 | Rev 1.0

        If one wants to use a utility for checking checksums, shouldn’t that application be digitally signed?
        The mentioned MD5 & SHA Checksum Utility, Multihasher and also 7-Zip are not digitally signed.

        Some other are utilities for checking checksums are digitally signed.

        There is DigitalVolcano Hash Tool:
        https://www.digitalvolcano.co.uk/hash.html

        And if you want a shell extension, that integrates into Windows Explorer file properties, there is Implbits HashTab:
        http://implbits.com/products/hashtab/

        And another shell extension, that integrates into Windows Explorer file properties, is Febooti Hash & CRC:
        http://www.febooti.com/products/filetweak/members/hash-and-crc/

      • #124142 Reply
        JohnW
        AskWoody Plus

        In reply to JohnW, July 9, 2017, You mention NirSoft’s HashMyFiles. However, NirSoft’s HashMyFiles calculates only MD5 and SHA1 hashes. As mentioned by Kirsty, MD5 and SHA1 hashes are no longer suitable for checking file security. Therefore, NirSoft’s HashMyFiles is not suitable for checking file security.

        With all due respect, you are clearly misinformed about that.  I don’t know what version you are looking at, but he has added support for SHA-256, SHA-512, SHA-384, and CRC32.

        I just dropped a file into HashMyFiles, and got all of those results…

        1 user thanked author for this post.
      • #124144 Reply
        JohnW
        AskWoody Plus

        In reply to AKB1000006: Checksum Verification of Downloaded Files, by Kirsty, published 4 July 2017 | Rev 1.0 If one wants to use a utility for checking checksums, shouldn’t that application be digitally signed? The mentioned MD5 & SHA Checksum Utility, Multihasher and also 7-Zip are not digitally signed. Some other are utilities for checking checksums are digitally signed. There is DigitalVolcano Hash Tool: https://www.digitalvolcano.co.uk/hash.html And if you want a shell extension, that integrates into Windows Explorer file properties, there is Implbits HashTab: http://implbits.com/products/hashtab/ And another shell extension, that integrates into Windows Explorer file properties, is Febooti Hash & CRC: http://www.febooti.com/products/filetweak/members/hash-and-crc/

        HashMyFiles is digitally signed and passes VirusTotal scans.

        It also has a optional Windows Explorer context menu so you can launch it from any file in Explorer.  Also lets you add a context menu option to launch any file in the VirusTotal web site.

        All in all, a simple, complete solution that is up to date and verified.

      • #124147 Reply
        Spiff
        AskWoody Lounger

        With all due respect, you are clearly misinformed about that. I don’t know what version you are looking at, but he has added support for SHA-256, SHA-512, SHA-384, and CRC32.

        Thanks very much.
        You are right, of course.
        I based my earlier comment on NirSoft’s description, “HashMyFiles is small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. […]”
        I missed the info regarding SHA-256, SHA-512, and SHA-384 in Versions History.
        It would be welcome if NirSoft added that information under Description.

      • #124293 Reply
        anonymous
        Guest

        Hash Tab

        Hashtab is free for personal use, for students and for non-profits

      • #124429 Reply
        anonymous
        Guest

        There is also:

        http://www.softdevlabs.com/downloads#HashCheck

        I wrote it myself so I know it’s good. 😉
        “Fish” (David B. Trout)
        Software Development Laboratories
        http://www.softdevlabs.com

        EDIT html to text

    Viewing 11 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: 1000006: Checksum Verification of Downloaded Files

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.