4 Replies Latest reply on Nov 29, 2013 10:46 AM by nsgmike

    Scan for particular MD5 hashes

    nsgmike

      I am currently running 7.1.5.2, is there a rule I can create to scan for particular MD5 hashes?

       

      I ask because I get lists of malware hashes and would like to add them to this appliance.

       

      Also does the file scanner scan for already known malware hashes?

       

      Thanks

        • 1. Re: Scan for particular MD5 hashes
          Jon Scholten

          7.1.5, no.

           

          On 7.3+, Web Gateway has the ability to calculate the hash (md5, sha1, etc...) of an object/transaction. In general calculating the hash of a file a long time based on the size of the file, so there should be extensive testing and/or user experience testing of this prior to trying it.

           

          Given this information I would advise that calculation of the hash would be done on a limited based. i.e. File is of certain media types which have potential to wreak havoc, or below a certain size.

           

          Best,

          Jon

          • 2. Re: Scan for particular MD5 hashes
            nsgmike

            Thanks Jon,

             

            How does the web gateway currently know if a file is malicious or not? what are the particulars it scans for today and what database does it use? When I start testing I do not want to add the same MD5s if it is already looking for them.

            • 3. Re: Scan for particular MD5 hashes

              Hi Mike,

              MWG uses the McAfee Antivirus Engine. It's not just a database of hashes, but full AV scanning. Additionally, it has the Gateway Antimalware engine which looks at malware behaviourally, not just by signatures or AV.

               

              There will be no way to predetermine of the AV engine or GAM will detect a file by hash alone. Hashes for malware are pretty inefective, considering that much of today's malware is polymorphic and changes each time  it's served up to a user.

               

              If you insist on comparing hashes, you can submit them to VirusTotal.com search and see if any AV vendor is catching them, including McAfee.

               

              Either way, you still have to upgrade to 7.3 in order to do the hashing on MWG.

               

              • 4. Re: Scan for particular MD5 hashes
                nsgmike

                Thanks Eric

                 

                Yes I use VirusTotal now for comparing hashes, my situation is more for zero day and recent popular attacks targeting my industry. I find a lot of the hashes I am getting from my threat sharing intel are only being picked up by a few vendors on virus total and would like to manually create rules on the web gateway for the ones mcafee does not pick up. Just gives my ISO an added level of comfort and lets the "C" suite know that we are doing everything to mitigate the risk.

                 

                Thanks - I will be upgradnig once the new version comes out next week