3 Replies Latest reply on Mar 7, 2017 6:48 PM by epoNovice

    HOST IPS Query - Detecting HASH values & testing

    epoNovice

      Hi All,

       

      I've asked to use HIPS to try and detect a group of HASH values we have been sent.

       

      I have been able to esit the Host IPS policy in EPO.  I've created a custom rule and a sub rule which has my HASH values added.  (i've also made sure the High's are set to prevent in the other rule).

       

      When I enter the HASH values I was under the impression this goes in the "fingerprint" field.  This filed is 32 characters long which is standard for a MD5 Hash I think ?? however the HASH values I've been given are much longer.

       

      Do i need to condense them somehow or just put in the first 32 characters ?

       

      Providing I get that right do you know of a way to test the value to see if the rule actually triggers and prevents/detects it being invoked ?

       

      Thanks all