Vidéos d'aide de Screencast

Save MD5 hash of a file matched by a firewall rule/IPS/Custom IPS rule

Created: 23 Janv. 2013 • Updated: 05 Fév. 2013 | 5 comments
l'image des zhitenev
0 Convenez
0 Ne pas accepter
0 1 Vote
Login to vote
État : En cours de révision

Here's an idea: have SEPM save MD5 hash of a file matched by a firewall rule/IPS/Custom IPS.

This information can be further used in application and device control policies to enchance security and address "smart" moves of renaming an app to overcome layer of firewall rules.

Commentaires CommentairesAccéder au dernier commentaire

l'image des Elisha

SEP already has the ability to save the MD5 hash of applications using the Learned Application feature.  How is this different than the Learned Application feature?

Note: we are moving away from MD5 and will be moving to SHA256 in the next major release, as MD5 is not longer considered secure enough.

0
Login to vote
l'image des zhitenev

Thanks. MD5/SHA256 does not matter much as long as it is done. 

Currently (in some cases) SEP logs name of an application that generated traffic matched by an firewall rule/IPS/Custom IPS. Why not log file hash too?

Our use case would be: user renames app's executable, uses the app, traffic gets matched by a custom IPS signature. We do not know what application triggered this traffic as the name of the executable does not tell us anything, whereas a hash would.

0
Login to vote
l'image des Elisha

How would you use the hash to verify what the application is?  Do you have a list of hashes and what application name is for each hash?

What if we logged the application description as seen in the file properties?  This would not change even if the user renamed the application.

0
Login to vote
l'image des zhitenev

Hash is easy to google.

File description would be better than nothing, but hash is better in terms of using it afterwards for blocking the app in application and device control.

0
Login to vote
l'image des Elisha

Ok, understood.  Thanks.

0
Login to vote