Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
277 Views 1 Reply Latest reply: Sep 23, 2013 6:03 PM by gfergus1 RSS
dt1 Newcomer 12 posts since
Apr 17, 2013
Currently Being Moderated

Sep 23, 2013 8:44 AM

custom file hash import - file reputation question

i have two questions regarding importing custom file fingerprints via the file reputation function.

 

first, according to documentation, the imported file must be csv and hash data in this format:

 

<file name plus extension>, <file size>, <hash type>, <hash>, <description>

 

for example

 

application.exe, 1024000, MD5, 30a4edd18db6d938ahf23123123, text description

 

my first question:  why are the file size and file name required?  will these attributes need to match exactly for detection to occur? 

 

second question:  what does the "sensitity" value for GTI file reputation specify exactly?  a hash either matches a known malicious hash or not, what does the senstivity level of very low - very high represent?

  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    1. Sep 23, 2013 6:03 PM (in response to dt1)
    Re: custom file hash import - file reputation question

    The file format is the same as what gets exported by the manager if you were to already have a list.  If you import a single file you can then export it back out and it will get the same format.  I believe the name and size are for display in the UI.  The hash is used by the sensor in identifying the file.

     

    The sensitivity is used in the response from the GTI servers to indicate "how dirty" the file is.  The hash is used for identifying the file, the sensitivity is for determining what action should be taken with the file.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points