Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Multiple Files Name are Blocked or Banned but Detected with Same Hash Value

App Control: Multiple Files Name are Blocked or Banned but Detected with Same Hash Value

Environment

  • App Control Console: All Supported Versions

Symptoms

Getting blocks or ban events from multiple files name and files path, but the same hash value in all of them

Cause

By default, the App Control does not track empty files (0 Bytes), no matter what the file extension is. In this case the MD5 or SHA1 hash been banned, the agent starts tracking events related to the banned MD5/SHA1 hash

Resolution

Confirm if there is a File Rule banning the hash:
Go to the console > Rules > Software Rules > Files > Search for File Hash:
MD5 is D41D8CD98F00B204E9800998ECF8427E
or
SHA-1 is da39a3ee5e6b4b0d3255bfef95601890afd80709

Additional Notes

  • The hash: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 is considered Trusted and Reputation is 10
  • VT has reported, hash is clean: VirusTotal

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-29-2022
Views:
190
Contributors