WHORUFile – Notice to Suspicious File Crate/Change Windows Server

Last Update 2017.04.19

Notice to file crate or change

WHORUFILE is help to protect your server for hacking.


code sign on “Open Source Developer, JuSeong Han”



WHORUFile - Notice to Suspicious File Crate Change Windows Server

Detect Below

  1. Dectect Hind

  2. Suspicious PEHeader Type File

  3. VirusTotal Check

  4. Suspicious Attributes

You can defanse to create malware file on server.

if And you want to check virus check on virustotal, you need to virustotal api key. check below link.




2017.04.19 – Performance update.

2017.01.31 – Check file certificate and write in a log.

2017.01.23 – Offer file detail information when find to suspicious file .


How to use

  1. Console mode : just run program, then you can check the file monitoring in console, this mode not install mode
  2. Service mode : WHORU offer to install option, “-i”: install to service type(Automatic start when system boot), “-u”: service uninstall(remove)

run command line

“whorufile -i”  : install whorufile service type(we recommand this on server mode)

“whorufile -u” : uninstall whorufile service type.

“whoru”            : console mode, insistent mode(if you want to check one time, i recommend this.)


You can input to option WHORU.INI

Syslog_IP= <– Send to log at syslog server, When input IP address.
File=false  <– If you want to logging on the local machine, input here for true.

DirectoryPath=ALL <– If you need to only audit some folder or drive, input here. Default option is all drive.
Trust_List= notepad.exe <– If you need to trust item, input here.
Virustotal= xxx <– Input Virustotal Key. https://ithemes.com/security/how-to-malware-scan-api-key-with-virustotal/

Facebook Comments

Leave A Reply

Detection ADBlockPlease, Disable or add to white list on our site.