cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
abdulkf
Level 7
Report Inappropriate Content
Message 1 of 5

add MD Hash Blocking

Jump to solution
I have multiple MD5 hash need to block it in the threat prevention, how I can add it on one time ?
1 Solution

Accepted Solutions
Udaya6626
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: add MD Hash Blocking

Jump to solution

There are two ways to add the manual Blocking for hashes:

 

1- First one is, we can block using MD5 Hash Values in Access Protection Rule but that works only for executable files.

You can refer below community post for the same-

https://community.mcafee.com/t5/Endpoint-Security-ENS/Blocking-MD5-Hash/td-p/628848

 

2- You can use ENS Exploit Prevention Expert Rules to achieve this for any kind of files irrespective of file types.

Here you can even use MD5, SHA1 and SHA 256.

Please refer below Product documentation  and training video link-

https://docs.mcafee.com/bundle/endpoint-security-v10-5-3-adaptive-threat-protection-expert-rules-syn...

https://kc.mcafee.com/corporate/index?page=content&id=KB89677

 

I can provide with an example of expert rule. You will have to create your own rule or you can get help of Professional services for the rule creation.

 

Rule {

 Process {

 Include OBJECT_NAME { -v ** }

 }

 Target {

 Match FILE {

 Include MD5 {

-v "ba78410702f0cc8453da1afbb2a8b670"

-v "ya78410702f0cc8453da1afbb8f5g549"

 

 }

 Include -access "EXECUTE"

 }

 }

}

 

From the above example if the hash is SH1 or SHA256:

 

Replace the following line accordingly:  Include MD5 { |  Include SHA1 { |  Include SHA2_256 {

 

For large number for hashes, we wouldn't suggest to have expert rule, the hash comparison will have run through the list of the hashes listed in the expert rule.  This is impact the performance of the product.

However for large number of Hashes where you do not have active detection/infection in place it is advised to submit the hashes to us through support ticket and we will check and get them analyzed with McAfee labs and if found Malicious we will add them into our detection.

 

Please don't forget to select "Accept as a solution".if the response answers your query.

View solution in original post

4 Replies
Udaya6626
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: add MD Hash Blocking

Jump to solution

There are two ways to add the manual Blocking for hashes:

 

1- First one is, we can block using MD5 Hash Values in Access Protection Rule but that works only for executable files.

You can refer below community post for the same-

https://community.mcafee.com/t5/Endpoint-Security-ENS/Blocking-MD5-Hash/td-p/628848

 

2- You can use ENS Exploit Prevention Expert Rules to achieve this for any kind of files irrespective of file types.

Here you can even use MD5, SHA1 and SHA 256.

Please refer below Product documentation  and training video link-

https://docs.mcafee.com/bundle/endpoint-security-v10-5-3-adaptive-threat-protection-expert-rules-syn...

https://kc.mcafee.com/corporate/index?page=content&id=KB89677

 

I can provide with an example of expert rule. You will have to create your own rule or you can get help of Professional services for the rule creation.

 

Rule {

 Process {

 Include OBJECT_NAME { -v ** }

 }

 Target {

 Match FILE {

 Include MD5 {

-v "ba78410702f0cc8453da1afbb2a8b670"

-v "ya78410702f0cc8453da1afbb8f5g549"

 

 }

 Include -access "EXECUTE"

 }

 }

}

 

From the above example if the hash is SH1 or SHA256:

 

Replace the following line accordingly:  Include MD5 { |  Include SHA1 { |  Include SHA2_256 {

 

For large number for hashes, we wouldn't suggest to have expert rule, the hash comparison will have run through the list of the hashes listed in the expert rule.  This is impact the performance of the product.

However for large number of Hashes where you do not have active detection/infection in place it is advised to submit the hashes to us through support ticket and we will check and get them analyzed with McAfee labs and if found Malicious we will add them into our detection.

 

Please don't forget to select "Accept as a solution".if the response answers your query.

Re: add MD Hash Blocking

Jump to solution

I just want to warn others that this is a very dangerous Exploit Rule to deploy.

The rule as stated is

Rule {

 Process {

 Include OBJECT_NAME { -v ** }

 }

 Target {

 Match FILE {

 Include MD5 {

-v "ba78410702f0cc8453da1afbb2a8b670"

-v "ya78410702f0cc8453da1afbb8f5g549"

 

 }

 Include -access "EXECUTE"

 }

 }

}

 

 

This means that it will apply to all process and files across your estate.

The gotcha here is that there is no limit on the file size that the rule applies to, so a SQL Server process for instance will load a multi GB file and then attempt to calculate the hash of this file, in order that it can be compared with one of the interesting values. This will cause I/O on the machine to drop severely.

Don't be fooled that making this rule REPORT only will make this rule safe. It will still be calculating hashes in the background.

I think the rule can be made safer as follows

Rule {
Process {
Include OBJECT_NAME { -v "**" }
}

Target {
Match FILE {
Include OBJECT_NAME { -v "**.pdf" -v "**.docx" }

Include SHA2_256 {
-v "54EA45900D4BE366C1000F98818FE52D26B7A392C227AA9E7478FC20D8116F00"
-v "b71de236e508a9739d8b3fb6377ad7cf4bbae612fdd08555d662a2a5a395f9e5"
-v "93f6ea9019cfd453f3dd0175118f79c6f78c5da868d5b32cd394b4234917e43e"
-v "50c1a74100d58739093c527537a65a682ec1fcdda5959043d247bd9caeb77b71"
-v "581b6d48ad0f107598fb73bd60dd3f492909f0ae6f741082ba132a2d8dd967ff"
-v "55D63E6DE846CEE56AB850B8D788B53F586BF983785C9910D46458DBD69DB7F6"
-v "D58E9617A0E1F3926F5E55C4D5B112EECDC12C4120D13961F0604631C5532D7B"
-v "EC88CB037C282AFAE2AC30E2A2966A762FE145A4109071AC3D09230239C0CE31"
-v "DA13DC6E0B8182722E98344863BEB135C4486C8C0F61AB3D969E11D3E80B74DA"
-v "4453f4a54db1b5d682888d5545641cd4b38727961c323a910e48a16b9d42a2ec"
-v "ed63fc27c60602cc6df19e87557d4775333cde1c49ad9851ae8e70e19dcbc312"
-v "3a30197fc10efbf67cf1a87616373b674cf6ab244a3111637a163dce00b5b02e"
-v "2528882327dcc88126b3f73976dcf0cffb0ec3d08a93c393559e37a2c3082825"
}
Include -access "EXECUTE CREATE READ"
}
}
}

 

Here the line

Include OBJECT_NAME { -v "**.pdf" -v "**.docx" }

makes sure we only apply the second part of the rule to files ending in pdf or docx. We then only calculate the hash of files that match so with extensions pdf or docx and not any file.

It is unlikely that these will be multi GB files so should be safe.

It is probably also a good idea to apply this policy to workstations only.

Hopefuly this will help someone!

rsadolal
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 4 of 5

Re: add MD Hash Blocking

Jump to solution

Hi Thanks for posting your question in the Community forum,

Well we can add only the MD5 value in the Access protection policy by following the below steps

Endpoint Security Threat Prevention : Policy Category > Access Protection > ( Default / Custom rule).

Click on Show advanced.

Locate to Rule > Click on Add.

1) Add the description as per your requirement.

Choose both Block and Report.

Executables: Click Add.

Under properties add the name as mentioned above.

File name or path (can include * or ? wildcards):

Click Save 

2) Subrules:  Click Add

Under description add the name as mentioned above in 1st point.

Properties > Process

Operation choose as per per your requirement.

Targets: Click Add

Target > Inclusion status: Include

File Patch 

File, folder name, or file path (can include * or ? wildcards): Leave blank

MD5 hash: Add the MD5 value.

Note: This rule will be effective for adding the MD5 for any process. 

Was my reply helpful?

If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: add MD Hash Blocking

Jump to solution

We used "access protection" to block MD5 hashes from being executed.  Pretty simple to do, actually.  Create a new rule and include the hash. You will need to create a subrule as well.  This is the part that I found confusing, actually.  I attached a shot of our subrule to this post.

Good luck!

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community