cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12

Identify a file via checksum

Jump to solution

Is there a way to have MWG calculate the checksum of a file (MD5 or SHA-1) so that that value can be used in a rule?

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Identify a file via checksum

Jump to solution

yes. 7.3.1 i think.

0 Kudos
6 Replies
alexott
Level 11

Re: Identify a file via checksum

Jump to solution

Yes, you can use either the Body.HashSHA1 property to calculate SHA1 for current file, or the Body.Hash property and specify which hash you want to obtain. First method is better from performance point of view if this property will be used several times on the same file, as result will be better cached

0 Kudos
eelsasser
Level 15

Re: Identify a file via checksum

Jump to solution

On Antimalware.IsInfected, I like to calculate these and log them:

Set User-Defined.Antimalware.MD5 = Body.Hash ("md5")

Set User-Defined.Antimalware.SHA1 = Body.HashSHA1

And just for fun, put them on a block page with a link to VirusTotal:

capture.png

0 Kudos
btlyric
Level 12

Re: Identify a file via checksum

Jump to solution

Are the Body.Hash properties new as of 7.3?

0 Kudos
eelsasser
Level 15

Re: Identify a file via checksum

Jump to solution

yes. 7.3.1 i think.

0 Kudos
btlyric
Level 12

Re: Identify a file via checksum

Jump to solution

Loaded up 7.3.1 today and I see them now.

Is there a list of new properties/events/whatever that were added to 7.3?

0 Kudos
cscoup8
Level 9

Re: Identify a file via checksum

Jump to solution

Awesome new feature.

0 Kudos