Can I block files by signature?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can I block files by signature?

L2 Linker

I had a client ask if I could block files by hash.  Without additional information -- such as what protocol, application, host, user-agent, etc. -- it wouldn't be possible to do this with a threat signature, so how else could it be done?

Cheers,

Corey

mlutgen Brad Spilde

3 REPLIES 3

L7 Applicator

Hey Corey,

There's no mechanism to block by file hash. The hash is calculated when uploading to WildFire and is used in that context only. There is no hook into policy to control (block, allow, scan, etc.) by hash value. Adding such a function would need to be submitted as a feature request.

Best regards,

Greg Wesson

L2 Linker

What is the use case? It seems like managing a list of file hashes would be a daunting task since it would be outdated very quickly, if not almost immediately. (This is the biggest reason why Wildfire signatures don't block based on file hash as some of our competitors do, but are actually a signature written to block the malicious code. This way when the file hash changes the signature is not immediately ineffective)

L2 Linker

Some of my customers get lists of hashes of files that are bad but that don't show up in antivirus or malware detection systems.  E.g. from DHS, FS-ISAC, etc. 

The point is, the protections available to me via a PA are essentially wildfire (i.e. hoping someone else gets hit before me), or threat protection (e.g. antivirus and IDS signatures).  But if neither of those catch the bad thing, I'm boned. 

-C

  • 2945 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!