Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 18629 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scan for specific MD5 or SHA hashes?

Lee7

We have a reqeust to scan our PC's for files with specific MD5 SHA hashes, is there a way that I can add these to Sophos? 

This is relating to the Anthem/DeepPanda attack, we are not accosiated with Anthem but would like to take measures to protect ourselves.

Thanks.

File Names MD5 HashSHA-1
dump32.exe59c311a7299ed0b71ed0035f8f526ad65a719d33b6b45ed85d23b44258b5a251927c7b1a
dump32.exebe271eada42756568776532d156840c7d1d616f26eaee0a448148ffacf6ed45321beb21b
dump64.exeNo Hash Value providedNo Hash Value provided
lsremora32.dll5d9a6ca3f731e8ad8d596803b2db0a9c41cb5389cf06d056f99979bcbca7417652e1ac91
lsremora32.dll68e0a5360677781567772ecd779e0d150522b9b68a8aa245d06cba292b2ced92153f3ed4
:55731


This thread was automatically locked due to age.
  • 0
    Hello Lee7,

    are you searching for files with specific names (about 20% of those listed don't have a hash) and is this supposedvto be an on-demand scan? Or do you want them to be caught by the on-access scanner?

    And - no, you can't instruct SAV to scan for specific files and/or properties. A one-time scan for files with one of a few hashes isn't rocket-science anyway (guess there are even free tools with decent performance which can do this).

    Christian
    :55735
  • 0

    Hi QC, thanks for the reply.

    We want to scan for the hashes because as you know the filename can change. We actually wanted to use Sophos to detect and quarantene/delete these files using the on-access scanner or at least the full scanner. I am not sure how this information came about but apparently these files were used in the recent Anthem attack.

    I will look for a tool to manually do a once-off scan just to make sure we do not currently have these files on any of our PC's.

    Thanks.

    :55736
  • 0

    Hello Lee7,

    the filename can change [...] I am not sure how this information came about

    as can the hash (apparently at least two variants of dump32 and lsremora32 have been found). The preferred method is to send a sample to Labs (whoever computed the hash must have {had} one). Hashes are suitable for identification of a specific file but not for detection of a specific threat (all you have to do is to change a single bit in an otherwise unused location to get a completely different hash).

    Can't say what kind of assistance Sophos might offer (and how much they'd charge) but I'd suggest that you also contact Support.

    Christian

    :55742