I am currently running 18.104.22.168, is there a rule I can create to scan for particular MD5 hashes?
I ask because I get lists of malware hashes and would like to add them to this appliance.
Also does the file scanner scan for already known malware hashes?
On 7.3+, Web Gateway has the ability to calculate the hash (md5, sha1, etc...) of an object/transaction. In general calculating the hash of a file a long time based on the size of the file, so there should be extensive testing and/or user experience testing of this prior to trying it.
Given this information I would advise that calculation of the hash would be done on a limited based. i.e. File is of certain media types which have potential to wreak havoc, or below a certain size.
How does the web gateway currently know if a file is malicious or not? what are the particulars it scans for today and what database does it use? When I start testing I do not want to add the same MD5s if it is already looking for them.
MWG uses the McAfee Antivirus Engine. It's not just a database of hashes, but full AV scanning. Additionally, it has the Gateway Antimalware engine which looks at malware behaviourally, not just by signatures or AV.
There will be no way to predetermine of the AV engine or GAM will detect a file by hash alone. Hashes for malware are pretty inefective, considering that much of today's malware is polymorphic and changes each time it's served up to a user.
If you insist on comparing hashes, you can submit them to VirusTotal.com search and see if any AV vendor is catching them, including McAfee.
Either way, you still have to upgrade to 7.3 in order to do the hashing on MWG.
Yes I use VirusTotal now for comparing hashes, my situation is more for zero day and recent popular attacks targeting my industry. I find a lot of the hashes I am getting from my threat sharing intel are only being picked up by a few vendors on virus total and would like to manually create rules on the web gateway for the ones mcafee does not pick up. Just gives my ISO an added level of comfort and lets the "C" suite know that we are doing everything to mitigate the risk.
Thanks - I will be upgradnig once the new version comes out next week