On-Premise Endpoint

Sophos Endpoint Software Scan for specific MD5 or SHA hashes?

On-Premise Endpoint requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 3 replies
Subscribers 2 subscribers
Views 18630 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scan for specific MD5 or SHA hashes?

Lee7 over 10 years ago

We have a reqeust to scan our PC's for files with specific MD5 SHA hashes, is there a way that I can add these to Sophos?

This is relating to the Anthem/DeepPanda attack, we are not accosiated with Anthem but would like to take measures to protect ourselves.

Thanks.

File Names	MD5 Hash	SHA-1
dump32.exe	59c311a7299ed0b71ed0035f8f526ad6	5a719d33b6b45ed85d23b44258b5a251927c7b1a
dump32.exe	be271eada42756568776532d156840c7	d1d616f26eaee0a448148ffacf6ed45321beb21b
dump64.exe	No Hash Value provided	No Hash Value provided
lsremora32.dll	5d9a6ca3f731e8ad8d596803b2db0a9c	41cb5389cf06d056f99979bcbca7417652e1ac91
lsremora32.dll	68e0a5360677781567772ecd779e0d15	0522b9b68a8aa245d06cba292b2ced92153f3ed4

This thread was automatically locked due to age.

Parents

0 QC over 10 years ago

Hello Lee7,
the filename can change [...] I am not sure how this information came about
as can the hash (apparently at least two variants of dump32 and lsremora32 have been found). The preferred method is to send a sample to Labs (whoever computed the hash must have {had} one). Hashes are suitable for identification of a specific file but not for detection of a specific threat (all you have to do is to change a single bit in an otherwise unused location to get a completely different hash).
Can't say what kind of assistance Sophos might offer (and how much they'd charge) but I'd suggest that you also contact Support.
Christian
:55742
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 10 years ago

Hello Lee7,
the filename can change [...] I am not sure how this information came about
as can the hash (apparently at least two variants of dump32 and lsremora32 have been found). The preferred method is to send a sample to Labs (whoever computed the hash must have {had} one). Hashes are suitable for identification of a specific file but not for detection of a specific threat (all you have to do is to change a single bit in an otherwise unused location to get a completely different hash).
Can't say what kind of assistance Sophos might offer (and how much they'd charge) but I'd suggest that you also contact Support.
Christian
:55742
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data