reputation module

This module checks current contents of UEFI firmware ROM or specified firmware image for bad EFI binaries as per the VirusTotal API. These can be EFI firmware volumes, EFI executable binaries (PEI modules, DXE drivers..) or EFI sections. The module can find EFI binaries by their UI names, EFI GUIDs, MD5/SHA-1/SHA-256 hashes or contents matching specified regular expressions.

Important! This module can only detect bad or vulnerable EFI modules based on the file’s reputation on VT.

Usage: -i -m tools.uefi.reputation -a <vt_api_key>[,<vt_threshold>,<fw_image>]
vt_api_keyAPI key to VirusTotal. Can be obtained by visting

This argument must be specified.

vt_thresholdThe minimal number of different AV vendors on VT which must claim an EFI module is malicious

before failing the test. Defaults to 10.

fw_imageFull file path to UEFI firmware image

If not specified, the module will dump firmware image directly from ROM


  • Requires virustotal-api