cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AnnMarie
Level 7
Report Inappropriate Content
Message 1 of 3

McAfee TIE error getting a specific sha256 hash

Our customer is getting an error (which we can also reproduce) getting the TIE reputation of a specific sha256 hash:

3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

There is an error_code of zero and a message_type=3 in a response from a call to self._dxl_client.sync_request in dxlclient/client.py in this code snippet here (line 50):

 

 

    def _dxl_sync_request(self, request):
        """
        Performs a synchronous DXL request. Raises an exception if an error occurs.

        :param request: The request to send
        :return: The DXL response
        """
        # Send the request and wait for a response (synchronous)
        res = self._dxl_client.sync_request(request, timeout=self._response_timeout)

        # Return a dictionary corresponding to the response payload
        if res.message_type != Message.MESSAGE_TYPE_ERROR:
            return res
        raise Exception("Error: " + res.error_message + " (" + str(res.error_code) + ")")

 

 

The weird thing is that the error only occurs for this hash value (which happens to be the hash for an empty file).  If trying to get any other hash reputation the code succeeds and the TIE reputation data is returned. For example this hash with the same value but last character different works:
3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b854

The error happens with python 2.7 or 3.9 with latest dxlclient and dxltieclient modules released in pypi.

Is there a known issue with this specific sha256 hash?  Is there any work around?

Thanks for any help!

AnnMarie

 

2 Replies
AnnMarie
Level 7
Report Inappropriate Content
Message 2 of 3

Re: McAfee TIE error getting a specific sha256 hash

Some more information that I found on this issue while debugging:

The payload sent to the sync_request for the sha256 that fails e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is

b'{"hashes": [{"type": "sha256", "value": "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="}], "scanType": 3}'

The payload sent to sync_request for a sha256 that works e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b854 is

b'{"hashes": [{"type": "sha256", "value": "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFQ="}], "scanType": 3}'

These look correct to me and are computed in TieClient get_file_reputation function.

AnnMarie

Hiroshi
Level 7
Report Inappropriate Content
Message 3 of 3

Re: McAfee TIE error getting a specific sha256 hash

Is there any update for the above issue?
(a known issue with this specific sha256 hash or work around)


If anyone knows anything about the above issue, please let us know.

 

Hiroshi

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community