cancel
Showing results for 
Search instead for 
Did you mean: 
tubez
Level 8
Report Inappropriate Content
Message 11 of 15

Re: Identify a file via checksum

Jump to solution

I'm having the same problem.

On my malware block page, I included the MD5, SHA1 and SHA256 hashes but when I download the eicar test file all of those values are blank.

 

Do I need to enable a setting somewhere for these to be calculated?

tubez
Level 8
Report Inappropriate Content
Message 12 of 15

Re: Identify a file via checksum

Jump to solution

I haven't tested this yet, but here is the response I received from McAfee Support for anyone else having this issue.

 

The best way to get it on the block page is to add it to a block header with an event in a rule like this: Header.Block.Add("X-Hash-MD5", Body.Hash("md5"))

Then, you can reference the header in the block page with Header.Block.Get() and inserting your header name.

The FileScanner rule set has an example of how this is implemented.

Re: Identify a file via checksum

Jump to solution

For me. the Body.Hash() function does not return any value when used in HTML template. So I ended with 2 rules.

  1. Calculate hash rule
    this will calculate hash and store this to User-Defined.Antimalware.md5 variable via Body.Hash(md5)
  2. Block hash rule
    this compares User-Defined.Antimalware.md5 against List of strings (bad files hashes) and block connection if match

Using User-Defined.Antimalware.md5 variable, I can extend Blocking template with values, I need.

Works now as planned.

Re: Identify a file via checksum

Jump to solution

Could you please share your rule-settings?

tubez
Level 8
Report Inappropriate Content
Message 15 of 15

Re: Identify a file via checksum

Jump to solution

If you're trying to call the Body.Hash property directly into a block page or email alert, it doesn't work.

Instead, you can add headers to the request to include the hash information.  Using this method, I'm able to get the file hash data into my Virus block pages.

Since VirusTotal uses SHA-256 hashes as a URL parameter, I can also add a link to a VirusTotal search for the file hash in my notification emails and site report link on my block page.

In the Gateway Anti-Malware --> Block if Virus Was Found rule (I think this is a default rule), I added these three events:

MWG_Virus_Events.png

My Block Page then has this on it to display the file hashes:

      <b>SHA-256 Hash: </b>$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-SHA256" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ <br />
      <b>SHA1 Hash: </b>$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-SHA1" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ <br />
      <b>MD5 Hash: </b>$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-MD5" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ <br />

If you want to have a link on the page for sending an email to your ticketing sytem or other recipient, this will open a new Outlook email and include links for VirusTotal, Talos, URLScan and Hybrid-Analysis

<!--Email Form-->
<br />
<br />
<b>Please click the link below to report this site.</b>
<br />To help us investigate this website, please click the link below to report helpful details about the detected malware.
<br />
<br />
<center><b><a href="mailto:security@yourdomain.com?Subject=Malicious Page Submission&body=
User Comments: %0A%0A%0A%0A


URL: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url"/>$ %0D%0A
URL Host:  $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url.host"/>$ %0D%0A
URL Protocol: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url.protocol"/>$ %0D%0A
URL Category: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.trustedsource.categorylist.tostring">
  <parameters>
    <entry>
      <string>com.scur.engine.trustedsource.categorylist.tostring.categorylist</string>
      <parameter valueTyp="2">
        <value>
          <propertyInstance useMostRecentConfiguration="true" propertyId="com.scur.engine.trustedsource.url.categories"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ %0D%0A
URL Reputation: $<propertyInstance useMostRecentConfiguration="true" propertyId="com.scur.engine.trustedsource.url.reputationstring"/>$ %0D%0A
Domain: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url.domain"/>$ %0D%0A
Domain TLD: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url.domainsuffix"/>$ %0D%0A
Destination IP: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.destination.ip"/>$ %0D%0A
Block Reason: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.blockreason"/>$ %0D%0A
Block Action: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.rules.currentrulename"/>$ %0D%0A
User: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.auth.username"/>$
Client IP Address: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.client.ip"/>$ %0D%0A
User Name: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.auth.username"/>$ %0D%0A
Geolocation: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.stringfilter.string.replaceifequals">
  <parameters>
    <entry>
      <string>com.scur.engine.stringfilter.string.replaceifequals.source</string>
      <parameter valueTyp="2">
        <value>
          <propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.mapfilter.getvaluestring">
            <parameters>
              <entry>
                <string>com.scur.engine.mapfilter.getvaluestring.map</string>
                <parameter valueTyp="1">
                  <value>
                    <listValue id="com.scur.type.complex.maptype.2920"/>
                  </value>
                </parameter>
              </entry>
              <entry>
                <string>com.scur.engine.mapfilter.getvaluestring.key</string>
                <parameter valueTyp="2">
                  <value>
                    <propertyInstance useMostRecentConfiguration="false" propertyId="2441"/>
                  </value>
                </parameter>
              </entry>
            </parameters>
          </propertyInstance>
        </value>
      </parameter>
    </entry>
    <entry>
      <string>com.scur.engine.stringfilter.string.replaceifequals.substring</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
    <entry>
      <string>com.scur.engine.stringfilter.string.replaceifequals.replace</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="-" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$  %0D%0A
Time: 
$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.datetimefilter.date.monthnumber"/>$/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.datetimefilter.date.monthdaynumber"/>$/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.datetimefilter.date.year"/>$  $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.datetimefilter.time.hour"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.datetimefilter.time.minute"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.datetimefilter.time.second"/>$ %0D%0A %0D%0A

Malware Details %0D%0A
File Name: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url.filename"/>$ %0D%0A
File Extension: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.url.fileextension"/>$ %0D%0A
MD5: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-MD5" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ %0D%0A
SHA1: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-SHA1" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ %0D%0A
SHA256: $<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-SHA256" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ %0D%0A
VT Link: https://www.virustotal.com/#/file/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-SHA256" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$/detection %0D%0A
Talos Link: https://www.talosintelligence.com/reputation_center/lookup?search=$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.destination.ip"/>$ %0D%0A
URLScan IP: https://urlscan.io/ip/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.destination.ip"/>$ %0D%0A
Hybrid-Analysis: https://www.hybrid-analysis.com/search?query=$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.headerfilter.block.headers.getheader">
  <parameters>
    <entry>
      <string>com.scur.engine.headerfilter.block.headers.getheader.headername</string>
      <parameter valueTyp="3">
        <value>
          <stringValue value="X-Hash-SHA256" stringModifier="true" typeId="com.scur.type.string"/>
        </value>
      </parameter>
    </entry>
  </parameters>
</propertyInstance>$ %0D%0A

">Report Malware to Security</a></b></center>
<br />
<br />
<!--/Email Form-->

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community