Are you trying to block execution of an MD5 hash executable? If so, create an Access Protection rule, and in the Subrule, use the PROCESSES engine and the RUN operation, then specify the Executable by MD5 hash only.
Thank you for posting your query
Are these hashes for executable files?
If yes, you may use Access protection rules to configure blocking of files based on hash value
In ePO, go to policy catalog, select Access protection rules
Under the Rules Section click ADD and type the details and provide the hash value
Then add the subrule as shown below
Thank you for your post!
I would like to confirm my understanding. You have received a list of hashes that are meant to be blocked. You are trying to implement the block operation using ePO.
Since you have posted the query in ePO forum, I am unable to capture the product in question. We can block hashes using Access protection feature which is available in ENS (Endpoint Security). We have other technologies that can be used as well if you have a TIE configured and if ATP is being used.
But, I would like to start from scratch to understand the requirement here. First, are these hash values taken off from malicious files? If yes, then first step here is to open a Service request with us and confirm if McAfee has coverage for these hashes or not.
If the answer is no for one or more hashes, Now you can think about the product and components to be used to block these hashes. If you are using ENS, you can follow the above suggestions and it should work like a charm. Please remember Access protection is a bit tricky and blocking "files" and "executables/processes" are 2 completely different things we deal with. I have explained it previously in this post if you would like to known in detail.
Please remember blocking using hash is not possible using VSE (VirusScan Enteprise) Access Protection. ENS allows use of MD5 hashes ONLY.
I sincerely hope this is helpful in reaching a solution for you.
I am also going to move this thread to the ens team. It also depends on the products you are using. If using TIE and Active Response, there is a better chance of doing that based on your hashes. But it can also be done through ENS. They can provide better guidance.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?