06-24-2015 01:29 PM
I had a client ask if I could block files by hash. Without additional information -- such as what protocol, application, host, user-agent, etc. -- it wouldn't be possible to do this with a threat signature, so how else could it be done?
06-24-2015 04:34 PM
There's no mechanism to block by file hash. The hash is calculated when uploading to WildFire and is used in that context only. There is no hook into policy to control (block, allow, scan, etc.) by hash value. Adding such a function would need to be submitted as a feature request.
06-25-2015 08:57 AM
What is the use case? It seems like managing a list of file hashes would be a daunting task since it would be outdated very quickly, if not almost immediately. (This is the biggest reason why Wildfire signatures don't block based on file hash as some of our competitors do, but are actually a signature written to block the malicious code. This way when the file hash changes the signature is not immediately ineffective)
06-25-2015 10:20 AM
Some of my customers get lists of hashes of files that are bad but that don't show up in antivirus or malware detection systems. E.g. from DHS, FS-ISAC, etc.
The point is, the protections available to me via a PA are essentially wildfire (i.e. hoping someone else gets hit before me), or threat protection (e.g. antivirus and IDS signatures). But if neither of those catch the bad thing, I'm boned.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!