1 Reply Latest reply: Sep 23, 2013 6:03 PM by gfergus1 RSS

    custom file hash import - file reputation question

    dt1

      i have two questions regarding importing custom file fingerprints via the file reputation function.

       

      first, according to documentation, the imported file must be csv and hash data in this format:

       

      <file name plus extension>, <file size>, <hash type>, <hash>, <description>

       

      for example

       

      application.exe, 1024000, MD5, 30a4edd18db6d938ahf23123123, text description

       

      my first question:  why are the file size and file name required?  will these attributes need to match exactly for detection to occur? 

       

      second question:  what does the "sensitity" value for GTI file reputation specify exactly?  a hash either matches a known malicious hash or not, what does the senstivity level of very low - very high represent?

        • 1. Re: custom file hash import - file reputation question
          gfergus1

          The file format is the same as what gets exported by the manager if you were to already have a list.  If you import a single file you can then export it back out and it will get the same format.  I believe the name and size are for display in the UI.  The hash is used by the sensor in identifying the file.

           

          The sensitivity is used in the response from the GTI servers to indicate "how dirty" the file is.  The hash is used for identifying the file, the sensitivity is for determining what action should be taken with the file.