TrustNun is a service that compares file contents and file hashes with "known good" files from ICS/SCADA installation media.
Who are you guys? Why are you doing this?
TrustNun is a spiritual seccuessor to WhiteScope, which in turn was created in a Silicon Valley garage by Billy Rios, the Founder of Laconicly LLC and WhiteScope LLC. While participating in a few incident response engagements, I realized it's fairly difficult to know what is a "legitimate" ICS/SCADA file and what is not. Given the overwhelming majority of ICS/SCADA vendors refuse to sign their software, we're stuck with determining whether files like "FTShell.dll" or "WFCU.exe" (both legitimate files btw) are really supposed to be there. With this problem in mind, I started a database of all the files I've seen on ICS/SCADA systems, so that others can compare notes.
The file I uploaded wasn't in your database! Am I infected?
A "hit" in the database indicates that the hash/file you've submitted was previously seen within an ICS/SCADA installation. A "miss" simply indicates that TrustNun hasn't previously seen that file before. I would first check to see if the file is signed. If the file is not signed (likely the case for ICS/SCADA), check the "supported products" page and see if the product you are looking at is in our product list. If the product is not in the list, please consider working with us to get a good set of hashes for that product. If the product is in the product list and the file doesn't match anything we have, I would start an investigation on that file, have fun...
What is the best way to upload multiple file hashes?
The APIs (coming soon) will allow users to submit multiple file hashes and get back results for those hashes.
Do you have a similar database for firmware/medical/point-of-sale/etc
Yes, we're working on a firmware database as well as a medical device/software whitelist. If you are interested in helping with these projects, don't hesitate to reach out.How can I request a specific set of files/product be included?
Sure, we try to stack rank user requests and will work to get those products included.