Can I block files by signature?

Reply
Highlighted
L2 Linker

Can I block files by signature?

I had a client ask if I could block files by hash.  Without additional information -- such as what protocol, application, host, user-agent, etc. -- it wouldn't be possible to do this with a threat signature, so how else could it be done?

Cheers,

Corey

mlutgen Brad Spilde

L7 Applicator

Re: Can I block files by signature?

Hey Corey,

There's no mechanism to block by file hash. The hash is calculated when uploading to WildFire and is used in that context only. There is no hook into policy to control (block, allow, scan, etc.) by hash value. Adding such a function would need to be submitted as a feature request.

Best regards,

Greg Wesson

Highlighted
L2 Linker

Re: Can I block files by signature?

What is the use case? It seems like managing a list of file hashes would be a daunting task since it would be outdated very quickly, if not almost immediately. (This is the biggest reason why Wildfire signatures don't block based on file hash as some of our competitors do, but are actually a signature written to block the malicious code. This way when the file hash changes the signature is not immediately ineffective)

Highlighted
L2 Linker

Re: Can I block files by signature?

Some of my customers get lists of hashes of files that are bad but that don't show up in antivirus or malware detection systems.  E.g. from DHS, FS-ISAC, etc. 

The point is, the protections available to me via a PA are essentially wildfire (i.e. hoping someone else gets hit before me), or threat protection (e.g. antivirus and IDS signatures).  But if neither of those catch the bad thing, I'm boned. 

-C

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!