4 Replies Latest reply on Nov 2, 2015 2:13 PM by vinoo

    Stinger md5 blacklist

    drknci2v

      I'm trying to get the Stinger md5 blacklist to work but every attempt has failed.  Here is what I have discovered so far as requirements for the feature:

      MD5 must be of an executable binary (exe, dll, sys, etc)

      File must not be whitelisted by McAfee to be detected

      Files that are digitally signed using a valid certificate will not be detected

      Obviously the file must be scanned with the current configuration settings

       

      I've tried both upper and lowercase MD5 hash values (adds both to the list which is strange) but still no luck.  I also tried inputting the hash via both the Hash button and the Load hash List button. I've tried with a custom executable I made but would not flag for detection. I've tried this with a new malware sample that was not signed and had no current McAfee detection but still wouldn't flag off md5.  I also tried different versions of Stinger and still no luck.  Based on the documentation this should be pretty straight forward but for some reason will not work for me. If someone could help look into this I'd appreciate it.

        • 1. Re: Stinger md5 blacklist
          Peter M

          Moved to Other McAfee Corporate Products as hopefully a good spot for it.

           

          Peter

          Volunteer Moderator

          • 2. Re: Stinger md5 blacklist
            vinoo

            Sorry about the late response - saw this post only now.

            Can you post the Stinger scan.log to this thread so that I can review it.

             

            Thanks,

            Vinoo

            • 3. Re: Stinger md5 blacklist
              madlaxer

              I am experiencing this same problem.  I pointed the scanner at a specific folder with an exe in it.  I used the Microsoft File Checksum Integrity Verifier to grab the MD5 hash, added it to the blacklist in stinger, and ran the scan.  It does not identify the file.

               

              Any help is appreciated.

              Thanks,

               

               

              Here is the log:

               

              McAfee® Labs Stinger™ Version 12.1.0.1647 built on Jul 28 2015 at 13:22:32
              Copyright© 2015, McAfee, Inc. All Rights Reserved.

              AV Engine version v5800.7484 for Windows.
              Virus data file v1000.0 created on Jul 28, 2015
              Ready to scan for 6952 viruses, trojans and variants.

              Custom scan initiated on Wednesday, July 29, 2015 09:56:49

              C:\PSTools\Microsoft File Checksum Integrity Verifier\fciv.exe
              C:\PSTools\Microsoft File Checksum Integrity Verifier\ReadMe.txt

              Summary Report on C:\PSTools\Microsoft File Checksum Integrity Verifier
              File(s)
              TotalFiles:............ 2
              Clean:................. 2
              Not Scanned:........... 0
              Possibly Infected:..... 0

              Time: 00:00:00

              Scan completed on Wednesday, July 29, 2015 09:56:49

              • 4. Re: Stinger md5 blacklist
                vinoo

                Hmm.. looking at the log file, its scanned fciv.exe (which is a legit signed file) and the readme.txt file (which is a non exe file).

                Both won't get detected. What is the actual file you're trying to get detected? Got a file hash or sample for me to test with?