How to determine the unique hash of a file detected by Symantec Endpoint Protection
search cancel

How to determine the unique hash of a file detected by Symantec Endpoint Protection

book

Article ID: 158528

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection has detected a file and successfully deleted or quarantined it.  The pop-up notification presents the name of the threat, but this display name can be a very broad family (for example, Trojan.Horse).  Is there a way to determine the unique hash of that detected file so that administrators can see if this exact file is the same Trojan.Horse as is being seen elsewhere in the organization?

Or a new threat has been announced. Is there a way to determine if SEP protects against this threat? 

Resolution

Symantec offers hash review through SymSubmit

You can submit your list of hashes by:

  1. Going to https://symsubmit.symantec.com/
  2. Selecting the "Malware Not Detected" tile:



  3. Choosing the "Provide an MD5 or SHA-256 hash of a file(s)" drop down
  4. Entering up to 20 hashes in th "File Hash(s)" field. Note: files should be separated by comma or whitespaces. 
  5. Fill out the "Your Details" section
  6. Select "Submit"
  7. If Symantec AV does not detect this file or we have no data, you will see a message on submission. Otherwise, you will receive a detailed email report on the detection after submitting. 

 

If you need assistance finding hashes of existing files, see: Creating a file fingerprint list with checksum.exe

If you need to find the hashes of a detection, it is possible to see the unique hash of a file detected either from the SEP client or from a Risk log exported from the Symantec Endpoint Protection Manager (SEPM). 

Viewing the SHA-256 on SEP Client

  1. Open the SEP client interface.
  2. Click View Logs
  3. Beside Virus and Spyware Protection, click View Logs, Risk Log
  4. Double click the entry in question to display the Risk Details.  If the hash is known, it will be displayed.

 

Viewing the SHA-256 on the Symantec Endpoint Protection Manager

  1. Open the SEPM console.
  2. Select Monitors, Logs.
  3. Run a report of Log Type: Risk. 
  4. Export the report generated
  5. Open the report .csv in a spreadsheet program.  The Application Hash is included in this report, though it was not displayed on screen in the SEPM console.
  6. It is then possible to filter by Computer Name, by Application Hash, and so on for analysis of the data.

 

Please note: Using the hashes seen in this report are a very crude method for determining if the same variant is being seen throughout the organization.  The SHA is not always available to SEP, malware authors use different packers and other tools to create different hashes for the same threats, file infecting threats will always show different hashes, and polymorphic threats will similarly always have different hashes.

Still, in certain circumstances, this sort of analysis can be quite useful for a security administrator.  Does one computer have the exact same Trojan.Horse variant detected over and over again (indicating that an undetected process is continuously attempting re-infection) or is it infected with several distinct threats which fall into the Trojan.Horse family?  Or: several computers across the organization have all encountered the exact same Downloader variant. What website have they all visited?  If that is an intranet URL, the security administrator should examine that webserver immediately. 

 

 

Powered by Wolken Software