Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Save MD5 hash of a file matched by a firewall rule/IPS/Custom IPS rule

Created: 23 Jan 2013 • Updated: 05 Feb 2013 | 5 comments
zhitenev's picture
0 Agree
0 Disagree
0 0 Votes
Login to vote
Status: In Review

Here's an idea: have SEPM save MD5 hash of a file matched by a firewall rule/IPS/Custom IPS.

This information can be further used in application and device control policies to enchance security and address "smart" moves of renaming an app to overcome layer of firewall rules.

Comments 5 CommentsJump to latest comment

Elisha's picture

SEP already has the ability to save the MD5 hash of applications using the Learned Application feature.  How is this different than the Learned Application feature?

Note: we are moving away from MD5 and will be moving to SHA256 in the next major release, as MD5 is not longer considered secure enough.

0
Login to vote
zhitenev's picture

Thanks. MD5/SHA256 does not matter much as long as it is done. 

 

Currently (in some cases) SEP logs name of an application that generated traffic matched by an firewall rule/IPS/Custom IPS. Why not log file hash too?

Our use case would be: user renames app's executable, uses the app, traffic gets matched by a custom IPS signature. We do not know what application triggered this traffic as the name of the executable does not tell us anything, whereas a hash would.

0
Login to vote
Elisha's picture

How would you use the hash to verify what the application is?  Do you have a list of hashes and what application name is for each hash?

What if we logged the application description as seen in the file properties?  This would not change even if the user renamed the application.

0
Login to vote
zhitenev's picture

Hash is easy to google.

File description would be better than nothing, but hash is better in terms of using it afterwards for blocking the app in application and device control.

0
Login to vote
Elisha's picture

Ok, understood.  Thanks.

0
Login to vote