Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: How can I manually scan or lookup the hash reputation without executing it?

Cb Defense: How can I manually scan or lookup the hash reputation without executing it?

Environment

  • Cb Defense Sensor: All Versions

  • Microsoft Windows: All Supported Versions

Question

How can I manually initiate a device scan to check for malware or lookup the file's hash reputation without executing the file?

Answer

Pre-existing files (existed on the device pre-sensor install)

We cannot manually initiate scan of all files on the machine, but if selected in the policy, the sensor will also perform an initial, one-time inventory scan in the background to identify malware files that were pre-existing on the device. Using this feature helps increase malware blocking efficacy for files that were pre-existing on the device before the sensor installation. The background scan takes 3-5 days to complete (depending on number of files on the device). It runs in low-priority mode to consume low system resources.

The background scan starts as soon as policy changes are applied. For sensors deployed with that policy, the scan starts shortly after installation.

New files (added to device post-sensor install)

If another application tries to invoke or access the file on a device where the sensor is installed then we will perform an immediate lookup of the reputation which can be viewed in the Cb Defense Web Console. You could use Microsoft's Sigcheck.exe application to perform some basic function like show the file hash. Example:

sigcheck -h appname.exe

If the target application, in this example - appname.exe, has a whitelist reputation then sigcheck will be allowed to invoke it. The event in the Investigate Page will likewise show a similar event:

The application "C:\path\sigcheck.exe" invoked the application "C:\path\appname.exe".

However, if the target application has a blacklist or malware reputation then sigcheck will not be allowed to invoke it if prevention rules exist in the policy. The event will also show that sigcheck was blocked from accessing it.

The application "C:\path\sigcheck.exe" was prevented from accessing the file "C:\path\appname.exe" due to a Deny operation or Terminate process policy action.

Related Content

Sigcheck - Windows Sysinternals | Microsoft Docs

Cb Defense: Background Scan FAQ

Labels (1)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎02-06-2018
Views:
4405
Contributors