cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 12
Report Inappropriate Content
Message 1 of 15

Identify a file via checksum

Jump to solution

Is there a way to have MWG calculate the checksum of a file (MD5 or SHA-1) so that that value can be used in a rule?

1 Solution

Accepted Solutions
Highlighted
Level 15
Report Inappropriate Content
Message 5 of 15

Re: Identify a file via checksum

Jump to solution

yes. 7.3.1 i think.

View solution in original post

14 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 15

Re: Identify a file via checksum

Jump to solution

Yes, you can use either the Body.HashSHA1 property to calculate SHA1 for current file, or the Body.Hash property and specify which hash you want to obtain. First method is better from performance point of view if this property will be used several times on the same file, as result will be better cached

Highlighted
Level 15
Report Inappropriate Content
Message 3 of 15

Re: Identify a file via checksum

Jump to solution

On Antimalware.IsInfected, I like to calculate these and log them:

Set User-Defined.Antimalware.MD5 = Body.Hash ("md5")

Set User-Defined.Antimalware.SHA1 = Body.HashSHA1

And just for fun, put them on a block page with a link to VirusTotal:

capture.png

Highlighted
Level 12
Report Inappropriate Content
Message 4 of 15

Re: Identify a file via checksum

Jump to solution

Are the Body.Hash properties new as of 7.3?

Highlighted
Level 15
Report Inappropriate Content
Message 5 of 15

Re: Identify a file via checksum

Jump to solution

yes. 7.3.1 i think.

View solution in original post

Highlighted
Level 12
Report Inappropriate Content
Message 6 of 15

Re: Identify a file via checksum

Jump to solution

Loaded up 7.3.1 today and I see them now.

Is there a list of new properties/events/whatever that were added to 7.3?

Highlighted
Level 9
Report Inappropriate Content
Message 7 of 15

Re: Identify a file via checksum

Jump to solution

Awesome new feature.

Re: Identify a file via checksum

Jump to solution

Hi.

I can not get calculated value from function Body.Hash ("md5"). It returns empty value.

The function Body.HashSHA1 works ok and returns correct value for eicar.com.txt file.

My MWG is version 7.7.2.16.

Can anyone confirm the Body.Hash ("md5") return any value on current main release ?

I also tried several Body.Hash ("sha1"), Body.Hash ("sha256") variants. No value to return...

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: Identify a file via checksum

Jump to solution

Hi,

Hope you are doing well.

 

Did a quick test here and  created a rule with Body.Hash(md5)  and downloaded an eicar file.

 

The property shows a value and does not return an empty value.

 

Regards

Alok Sarda

Highlighted

Re: Identify a file via checksum

Jump to solution

Hi aloksard.

Strange. I must do something wrong. Can you share your test rule ?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community