Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Why Doesn't This SHA256 Hash Match the Hash in the Console?

App Control: Why Doesn't This SHA256 Hash Match the Hash in the Console?

Environment

  • App Control: All Supported Versions

Question

Why does this SHA256 hash not match the data in the Console?

Answer

  • Some files change their hash every time they are installed because they include date, location, or other context-specific information not relevant for tracking purposes. For files known to do this, App Control uses a special fuzzy hashing algorithm that eliminates this extraneous variation, and so shows every instance of such files on computers running App Control Agents to be identical. When this algorithm has been used, the hash is identified as "SHA-256 (Normalized)".
  • If the notifier message does not contain an MD5 we use the SHA instead, this can sometimes lead to a discrepancy between whats seen in external events and the notifier.

Additional Notes

In the case of external events we use MD5 by default. If an MD5 is not included we fall back on the SHA256 hash.

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
826
Contributors