Frequently Asked Questions#

What is HashWatch?#

HashWatch publishes verified cryptographic hashes (SHA-256, and where the vendor provides them, SHA-1 and MD5) for widely-deployed software. Every hash is sourced directly from the official vendor channel, so you can confirm that a file on an endpoint is the genuine vendor release rather than a tampered copy.

The public dashboard answers one question fast:

Is this file the real vendor binary, or has it been altered?

Do I need an account?#

No. The public dashboard and the GET /public/hash-of-day JSON endpoint are completely open — no login, no API key.

An API key is only needed for the authenticated threat-intel endpoints (BinTrust hash lookup, statistics, history, RevokeRadar feed). Contact your administrator to be issued one. See Authentication.

How often is the data updated?#

Vendor sources are fetched every day at 02:00 UTC. The dashboard response is cached with a 1-hour TTL, so what you see is at most one hour behind the database.

The “hash of the day” is point-in-time: each record is valid from when it was first minted until it is superseded, so historical days resolve correctly (use ?date=YYYY-MM-DD on the JSON endpoint to fetch a past snapshot).

What does a matching hash actually prove?#

A match means the file is byte-for-byte identical to the release the vendor distributed. It does not by itself prove the file is safe.

If a vendor’s build pipeline were compromised at the source, the malicious build would still produce a “matching” hash. Treat hash verification as one strong signal among your other detections, not a sole verdict.

A non-match, on the other hand, is a clear red flag: the file is not the release HashWatch recorded from the vendor.

Why are the SHA-1 or MD5 columns sometimes blank?#

Some vendors publish only a SHA-256 in their checksum manifest and never expose the file for download in a way HashWatch can re-hash. For those, SHA-1 and MD5 are genuinely unknown and are left blank rather than guessed. SHA-256 is always present.

What’s the difference between “verified” and “manifest”?#

BadgeMeaning
✓ verifiedHashWatch downloaded the binary itself and computed every hash from the bytes.
manifestThe hash was taken from the vendor’s own published checksum file (the vendor offers a checksum but not a re-hashable download from this host).

The download is streamed through the hashers and discarded — HashWatch never stores the vendor binary on disk.

What software is covered?#

HashWatch tracks 56 vendor fetchers spanning Windows, Linux, macOS, and Android, plus the NIST National Software Reference Library (NSRL) corpus (~72 million file hashes) for broad triage coverage via BinTrust. Each fetcher discovers the latest version dynamically — no versions are hardcoded.

See the full list in Covered Software.

What is BinTrust?#

BinTrust is the authenticated “have I seen this file before?” lookup. Submit up to 100 hashes and each comes back classified as:

  • known_vendor_release — matches a HashWatch-verified vendor release (returns vendor, executable, version, platform).
  • known_file — present in the NSRL corpus but not a release HashWatch actively tracks (returns file name and product, where known).
  • unknown — not found in any known-good source.

BinTrust is a known-good reputation service. It does not accept indicator (IOC) submissions and stores no hashes you send it beyond the audit log. See the BinTrust Reference.

What are RevokeRadar and SigDiff?#

  • RevokeRadar continuously checks the code-signing certificates of tracked software against CA revocation lists (CRLs) and flags any that have been revoked — the case where a binary is genuine but its signing key was later compromised. See RevokeRadar.
  • SigDiff records the Authenticode signing identity (signer, issuer, serial, thumbprint) for every tracked Windows binary, so you can confirm who signed a file and pivot across your estate on the thumbprint. See SigDiff.

Can I embed the dashboard in my own site?#

Yes — the public dashboard can be embedded as an <iframe> from approved origins, or you can build your own widget against the public JSON endpoint. Ask your administrator which origins are allowlisted for your deployment.

How do I report a missing or wrong hash?#

Contact HashWatch support with the vendor, product, platform, and the source URL you expected HashWatch to track, and we will review the coverage.

Backward Public Dashboard API Reference Forward