cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12
Report Inappropriate Content
Message 1 of 15

Identify a file via checksum

Jump to solution

Is there a way to have MWG calculate the checksum of a file (MD5 or SHA-1) so that that value can be used in a rule?

1 Solution

Accepted Solutions
eelsasser
Level 15
Report Inappropriate Content
Message 5 of 15

Re: Identify a file via checksum

Jump to solution

yes. 7.3.1 i think.

View solution in original post

14 Replies
alexott
Level 11
Report Inappropriate Content
Message 2 of 15

Re: Identify a file via checksum

Jump to solution

Yes, you can use either the Body.HashSHA1 property to calculate SHA1 for current file, or the Body.Hash property and specify which hash you want to obtain. First method is better from performance point of view if this property will be used several times on the same file, as result will be better cached

eelsasser
Level 15
Report Inappropriate Content
Message 3 of 15

Re: Identify a file via checksum

Jump to solution

On Antimalware.IsInfected, I like to calculate these and log them:

Set User-Defined.Antimalware.MD5 = Body.Hash ("md5")

Set User-Defined.Antimalware.SHA1 = Body.HashSHA1

And just for fun, put them on a block page with a link to VirusTotal:

capture.png

btlyric
Level 12
Report Inappropriate Content
Message 4 of 15

Re: Identify a file via checksum

Jump to solution

Are the Body.Hash properties new as of 7.3?

eelsasser
Level 15
Report Inappropriate Content
Message 5 of 15

Re: Identify a file via checksum

Jump to solution

yes. 7.3.1 i think.

View solution in original post

btlyric
Level 12
Report Inappropriate Content
Message 6 of 15

Re: Identify a file via checksum

Jump to solution

Loaded up 7.3.1 today and I see them now.

Is there a list of new properties/events/whatever that were added to 7.3?

cscoup8
Level 9
Report Inappropriate Content
Message 7 of 15

Re: Identify a file via checksum

Jump to solution

Awesome new feature.

Re: Identify a file via checksum

Jump to solution

Hi.

I can not get calculated value from function Body.Hash ("md5"). It returns empty value.

The function Body.HashSHA1 works ok and returns correct value for eicar.com.txt file.

My MWG is version 7.7.2.16.

Can anyone confirm the Body.Hash ("md5") return any value on current main release ?

I also tried several Body.Hash ("sha1"), Body.Hash ("sha256") variants. No value to return...

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: Identify a file via checksum

Jump to solution

Hi,

Hope you are doing well.

 

Did a quick test here and  created a rule with Body.Hash(md5)  and downloaded an eicar file.

 

The property shows a value and does not return an empty value.

 

Regards

Alok Sarda

Highlighted

Re: Identify a file via checksum

Jump to solution

Hi aloksard.

Strange. I must do something wrong. Can you share your test rule ?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community