How can I check to see if SEP has specific signatures by hash value? If I find they aren't there, can I add them manually? Thanks!
This isn't possible to add signatures manually.
You can check release history here:
http://www.symantec.com/security_response/definitions/certified/
Something like this?
http://www.symantec.com/business/support/index?page=content&id=TECH211522
What I'm looking to check is if a couple hashes associated with a zero day will be detected by SEP or if they are not if there is a way for me to manually enter them somewhere in SEPM to detect and react to them.
You can check the hash against https://www.virustotal.com to see if SEP detects it. From there you can make sure you have those defs loaded.
There is no option to enter in the hash to block it if you know the file name you can enter in that, like below article:
How to utilize SEP 12.1 for Incident Response - PART 1
Thanks for the article. After reading it, how does SEP know/get the hash value? The article does not say that it was inputted anywhere unless I am missing it.
SEP can calculate it
Thanks for the help! One more question. I was told about (after I posted this) that I could go into Policies -> Application and Device Control -> Application Control -> Block applications from running[AC1] and add the hash value in there to block under rules Block these applications. Is this method not as effective or would not do what I am looking at achieving?
Hi lamis18,
If this is the 0-day you are inquiring about, there is AV and IPS coverage in place:
Unconfirmed zero-day vulnerability discovered in Adobe Flash Player https://www-secure.symantec.com/connect/blogs/unconfirmed-zero-day-vulnerability-discovered-adobe-flash-player
Keep in mind that VirusTotal is not always up-to-date and reflects only AV coverage, not IPS or other components. VT can be a useful tool but it hasits limitations.
Wth thanks and best regards,
Mick