topic Re: It's possible to block custom file hash-256 in Palo alto. in Custom Signatures

It's possible to block custom file hash-256 in Palo alto.

Mohammed_Yasin — Mon, 14 Sep 2020 13:59:41 GMT

It's possible to block custom file hash-256
It's possible to block custom file hash-256 in Palo alto.

Please let me know how I can check the respective file hashes disposition at a wildfire, either it is in block or not.

Here is below the file hashes need to know for disposition.

f743c0849d69b5ea2f7eaf28831c86c1536cc27ae470f20e49223cbdba9c677c
e56d45628f0c2bda30ab235657704aac50a8433bdb4215c77a2e0f52f0f31a49
ae431797c551c20fe2f3fe1adc08a566edfabf45abbd924f0c8da06381ab6e48
4f7dd00a005caf046dd7e494fea25be2264974264d567edfc89122242b7c41bc
5ae06a8d117e876476832245039715825fbfbefc0d2463ab6c30295dd1d4afa6
36be48e4eac81ad77aeade20b28ff8b72275832e6833f5e1b692eb99f312fd13

Re: It's possible to block custom file hash-256 in Palo alto.

claudec — Mon, 14 Sep 2020 14:22:01 GMT

Unfortunately you can not create a custom threat signature based on a file hash.

At least some of the hashes you reference already have Anti-Virus signatures. You can investigate signature availability at threatvault.paloaltonetworks.com.

If you have the actual sample you can submit it using the wildfire portal so a signature can be generated.

If you are a Cortex XDR customer, you can black list the file hashes on your endpoints.

Re: It's possible to block custom file hash-256 in Palo alto.

Mohammed_Yasin — Tue, 15 Sep 2020 05:29:39 GMT

Thanks for your comments. Much Appreciated|||

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLOlCAO

I have studied and found no way to block custom files based on hash-256 only.

As per document file can block but based on patterns of specific file types.

In my case, these Hash-256 only of near firms which recently attacked by these files and damaged therefore it needs to be blocked at my end as well to avoid any risk.

I found few of them are blocked in wildfire but not all, so how I can add all in block state while having no file sample or pattern.

Please advise the way to block all these hashes-256 without a sample or pattern.

Your prompt response will be highly appreciated.

Re: It's possible to block custom file hash-256 in Palo alto.

claudec — Tue, 15 Sep 2020 14:45:59 GMT

The only way to block a file by hash is if you have Cortex XDR on the endpoint.

One feature that might possibly help is the new MLAV feature in PAN-OS 10.0. Here is the information:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/configure-wildfire-inline-ml.html#id45b7dbdd-c5a8-4bd9-b5a9-abf07e3ccf37

Re: It's possible to block custom file hash-256 in Palo alto.

Mohammed_Yasin — Wed, 16 Sep 2020 05:37:55 GMT

@claudec

I think it can be helpful, if converting the hash into HEX and create a custom vulnerability to drop anything that matches the file hashes.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0

And I have noticed, few of the hashes are already listed in Cisco Talos File Repute but not in PA Threat Vault.