App Control: Why Doesn't This SHA256 Hash Match the Hash in the Console?
App Control Console: All Supported Versions
App Control Agent: All Supported Versions
Why does this SHA256 hash not match the data in the Console?
Some files include date, location, or other context-specific information not relevant for tracking purposes. For file types known to do this (such as MSI files) App Control will use a unique Fuzzy Hashing Algorithm that eliminates this variation. When this algorithm has been used, the SHA-256 hash is identified in the Console as "SHA-256 (Normalized)". This algorithm will affect Global and Local Approvals of a SHA-256 Normalized file in two ways:
Importing SHA-256 hashes that contain MSI files from another source may result in the associated File Rule becoming ineffective in App Control.
The Agent hashes the whole file for MD5 and SHA-1 values, which could contain the context-specific information. The resulting MD5 or SHA-1 hash may be unique for each machine it is created on, and a File Rule that relies on this value may become ineffective in App Control.
Due to these issues; the best practice for Approving or Banning the hash of an MSI file is to use the SHA-256 (Normalized) hash created by App Control. Other hash types, and hashes imported from elsewhere, should be avoided.
By default the External Events will rely on the MD5 hash. If an MD5 hash is not available for the File or Event the SHA-256 value will be used instead. This could lead to a discrepancy between what is observed in the External Event compared to what was reported by the Agent.
More information on this can be found in the App Control User Guide Chapter, "File, Publisher and Application Information" as well as the chapter, "Approving and Banning Software".
The following commands can be used on a machine that has an Agent to verify whether the file will return a Fuzzy (Normalized) hash or not:
cd "C:\Program Files (x86)\Bit9"
dascli hash sha256 "C:\Path\To\Installer.msi"