How to block a specific file with hash value?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to block a specific file with hash value?

L0 Member

Hi Guys, I am using a pair of PA820 with TP, URL Scan and WF. I received a list of hash values from my Authority but couldn't find any hits on VirusTotal. Without doubting my big boss, I wanted to manually block it in the firewall but could not find a means to do so, any kind soul can give me a pointer? Sample of the file as below

 

MD5: 13d28c1f903b9f5f7bbe046a03a860fa SHA1: db38b8cf2c14d0d14aa4b6c932e0b15d2652e59d SHA256: cd623eccc7132092d11ba900f67eb58d27bc9f5926535c9a31399183501c34bc CRC32: CDBAEF9E247786 bytesPE32 executable (GUI) Intel 80386, for MS WindowsFile Creation: C:\Users\XXX\AppData\Local\Temp\13d28c1f903b9f5f7bbe046a03a860fa.exe
MD5: 2453408cbe8491b6da970cfcd94f7877 SHA1: 5111ddd387a818acf677150492eaf090db7eceaf SHA256: 77570d9693f2d65cffda4a51c3c23cea36d2bd26a5bf4a6a096187929438aa03 CRC32: 803D8C3B247792 bytesPE32 executable (GUI) Intel 80386, for MS WindowsFile Creation: C:\Users\XXX\AppData\Local\Temp\2453408cbe8491b6da970cfcd94f7877.exe
MD5: 28c0158b8c7665ecd527a1a030afc9e9 SHA1: aa6a1d1f20b009e736e0a36c84705910bf50179b SHA256: b03cd2187b78a6bb1dab959ee722f14a3b8d8cf76310254e6c53172c9f13b1bc CRC32: 6E3AE953247796 bytesPE32 executable (GUI) Intel 80386, for MS WindowsFile Creation: C:\Users\XXX\AppData\Local\Temp\28c0158b8c7665ecd527a1a030afc9e9.exe
MD5: 6572dfa5be53f521755b582c640a9672 SHA1: 312762f66d33c456fadfee3db4ada20e10a5657f SHA256: 9147a0c723d979617317108cdbc0607e29257f44341c26d2bc965c5659c05e0c CRC32: 92F07717247786 bytesPE32 executable (GUI) Intel 80386, for MS WindowsFile Creation: C:\Users\XXX\AppData\Local\Temp\6572dfa5be53f521755b582c640a9672.exe
MD5: 1b685f21aef4cba5baafcba133c60690 SHA1: 2c71b397401d6ffb31daa38f6cb2e205f9092485 SHA256: 12575744b876da9d88e9c36ed2fd9401a33037e4f77b4b49d3da4840a172c828 CRC32: 8CA0091865643 bytesPE32 executable (GUI) Intel 80386, for MS WindowsFile Creation: C:\Users\XXX\AppData\Local\Temp\1b685f21aef4cba5baafcba133c60690.exe
6 REPLIES 6

L4 Transporter

It is not possible to block files based on hash. You will need to get the original file, upload it to Wildfire cloud, if it is classified as malicious, a signature will be created to block it. I recently had the same request (block files based on hash value).

 

https://live.paloaltonetworks.com/t5/Custom-Signatures/Custom-Antivirus-Signatures/m-p/178320#M204

You know what would be very cool??

 

In the same way that it is possible to block files by extension, name or path, it would be great to be able to block them, given a list of hashes!

It's possible?

By the time the firewall can compute the hash, the file already made its way through.

You need the full file for hash computation. You would need the firewall to hold on to the file to hash it before delivery, and that would break downloads. The firewall is an in-line device, and not a proxy, so it is not currently possible. The hashing *can* be performed as an after the fact best-effort action, and it is what the firewall actually does to check verdicts and forward samples with/to WildFire.

 

An alternative is to manually extract a long enough hex stream of the file, and define custom signatures to detect them. That way you'd be able to use a Custom Vulnerability Protection signature to block specific files.

You would have to define a custom signature per protocol (one for http, one for ftp, etc).

Please review https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0 for additional information.

L1 Bithead

The Hash values can be verified on the Threatvault, but can they be verified on local firewall, whether it is present there or not.?

L7 Applicator

Yes, you can enable extended logging in WildFire


> debug wildfire upload-log log extended-log yes 

The computed SHA256 hash of files inspected by the WildFire Analysis Profile for wildfire forwarding will be written in the wildfire-upload.log log-file in the MP. To visualize it use command:

> less mp-log wildfire-upload.log

L0 Member

Hello,

 

Thanks for sharing such great information, I highly appreciate your hard-working skills as the post you published have some great information which is quite beneficial for me.

  • 24562 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!