Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Why Doesn't This SHA256 Hash Match the Hash in the Console?

App Control: Why Doesn't This SHA256 Hash Match the Hash in the Console?

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Question

Why does this SHA256 hash not match the data in the Console?

Answer

Some files include date, location, or other context-specific information not relevant for tracking purposes. For file types known to do this (such as MSI files) App Control will use a unique Fuzzy Hashing Algorithm that eliminates this variation. When this algorithm has been used, the SHA-256 hash is identified in the Console as "SHA-256 (Normalized)". This algorithm will affect Global and Local Approvals of a SHA-256 Normalized file in two ways:
  • Importing SHA-256 hashes that contain MSI files from another source may result in the associated File Rule becoming ineffective in App Control.
  • The Agent hashes the whole file for MD5 and SHA-1 values, which could contain the context-specific information. The resulting MD5 or SHA-1 hash may be unique for each machine it is created on, and a File Rule that relies on this value may become ineffective in App Control.
Due to these issues; the best practice for Approving or Banning the hash of an MSI file is to use the SHA-256 (Normalized) hash created by App Control. Other hash types, and hashes imported from elsewhere, should be avoided.

Additional Notes

  • By default the External Events will rely on the MD5 hash. If an MD5 hash is not available for the File or Event the SHA-256 value will be used instead. This could lead to a discrepancy between what is observed in the External Event compared to what was reported by the Agent.
  • More information on this can be found in the App Control User Guide Chapter, "File, Publisher and Application Information" as well as the chapter, "Approving and Banning Software".
  • The following commands can be used on a machine that has an Agent to verify whether the file will return a Fuzzy (Normalized) hash or not:
    cd "C:\Program Files (x86)\Bit9"
    dascli hash sha256 "C:\Path\To\Installer.msi"
    

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
996
Contributors