Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Multiple Files Name are Blocked or Banned but Detected with Same Hash Value

App Control: Multiple Files Name are Blocked or Banned but Detected with Same Hash Value

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Symptoms

Agent enforcing blocks on multiple files with different file paths/names, but the same hash value in all of them:
  • SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  • SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
  • MD5: D41D8CD98F00B204E9800998ECF8427E

Cause

By default, the Agent does not track empty files (0 Bytes), no matter what the file extension is.

Resolution

Verify a File Rule banning the hash does not exist:
  1. Log in to the Console and navigate to Rules > Software Rules > Files.
  2. Search for the relevant hashes:
  3. If necessary change the Ban to an Approval.
Verify the file on the endpoint is not a 0KB file:
  1. Get the full path from the relevant Execution Block and use PowerShell to issue the following command:
    Get-FileHash "C:\Path\To\file.dll"
  2. If the hash does not match what was reported by the Agent, initiate a Cache Check and choose the option to Rescan Known Files:
    • From the Console: Assets > Computers > relevant Computer > right-hand menu > Perform Cache Consistency Check > Rescan known files
    • Using dascli on the endpoint:
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalPassword
      dascli checkcache 2

Additional Notes

  • The hash: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 is considered Trusted and Reputation is 10
  • VT has reported, hash is clean: VirusTotal

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-29-2022
Views:
1259
Contributors