topic Re: Can I block files by signature? in General Topics

Can I block files by signature?

CoreySteele — Wed, 24 Jun 2015 20:29:34 GMT

I had a client ask if I could block files by hash. Without additional information -- such as what protocol, application, host, user-agent, etc. -- it wouldn't be possible to do this with a threat signature, so how else could it be done?

Cheers,

Corey

mlutgen Brad Spilde

Re: Can I block files by signature?

gwesson — Wed, 24 Jun 2015 23:34:36 GMT

Hey Corey,

There's no mechanism to block by file hash. The hash is calculated when uploading to WildFire and is used in that context only. There is no hook into policy to control (block, allow, scan, etc.) by hash value. Adding such a function would need to be submitted as a feature request.

Best regards,

Greg Wesson

Re: Can I block files by signature?

mlutgen — Thu, 25 Jun 2015 15:57:12 GMT

What is the use case? It seems like managing a list of file hashes would be a daunting task since it would be outdated very quickly, if not almost immediately. (This is the biggest reason why Wildfire signatures don't block based on file hash as some of our competitors do, but are actually a signature written to block the malicious code. This way when the file hash changes the signature is not immediately ineffective)

Re: Can I block files by signature?

CoreySteele — Thu, 25 Jun 2015 17:20:33 GMT

Some of my customers get lists of hashes of files that are bad but that don't show up in antivirus or malware detection systems. E.g. from DHS, FS-ISAC, etc.

The point is, the protections available to me via a PA are essentially wildfire (i.e. hoping someone else gets hit before me), or threat protection (e.g. antivirus and IDS signatures). But if neither of those catch the bad thing, I'm boned.

-C