Block malware whit SHA-256

I need a solution


I have 2 SEPM console in version 14.0.3752.1000 with sep clients versions 12.6 and 14, and is possible to block a malware with the sha-256 ? 

For example:

Indicators of Compromise (IoCs):
Related Hashes (SHA-256):

a3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8 — TROJ_KILLMBR.EE
1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446 — TROJ_KILLDISK.IUE

Information from VirusTotal :

52 engines detected this file
SHA-256    a3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8
File name    a3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8.sample
File size    5.16 MB
Last analysis    2018-08-28 00:23:16 UTC

Basic Properties
MD5    9e33143916f648ec338f209eb0bd4789
SHA-1    2aa3803869edee7fa1ab7cf96d992ccfecc89e7b
Authentihash    7f134feb57a6af2d93c5276d25048704fecf1255fc22d873b18c16197f920557
Imphash    897a03097ab87dec1d9be48d739a8168
File Type    Win32 EXE
Magic    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
SSDeep    24576:RFquItQkg9t8RLlwGcGZ7fgOUe9UEnc1ykkkVVqWyvLMekOc:RF3ItQz9pda7f35ncIsbHyIe
TRiD    Win32 Dynamic Link Library (generic) (38.4%)
Win32 Executable (generic) (26.3%)
OS/2 Executable (generic) (11.8%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (



Case Study: Disconnected ICA Sessions Do Not Reconnect To The Same Server

  • From CDF Traces collected from VDA we could see that LogonComplete was not being logged for the session.
  • Wfshell.exe is supposed to log LogonComplete for the session. From the CDF Traces we found that Wfshell.exe was not loaded for any of the sessions
  • Cmstart.exe is responsible for loading Wfshell.exe.
  • From the CDF Traces we found that cmstart.exe was actually being loaded from c:Informatica9.5.0clientsDTbincmstart.exe instead of C:Program Files (x86)Citrixsystem32cmstart.exe.

2018/05/16 15:51:25:60087,28408,12104,-1,MfApHook,,413,DllMain,7,TC_HOOK_LOAD,”MFAPHOOK: Loading into process c:Informatica9.5.0clientsDTbincmstart.exe

  • Since third party cmstart.exe did not load Wfshell.exe, the logon was not being marked as complete and hence the session was not reconnected to the the same disconnected session.


Some third party software installations like Informatica utilize an executable file named cmstart.exe and modify the environment variables to point to their executable. Because XenApp/XenDesktop also use an executable named cmstart.exe located atC:Program Files (x86)Citrixsystem32cmstart.exe for the launch of published applications, it might confuse and locate and launch cmstart.exe of the third party software instead.

One common reason for XenApp/XenDesktop to locate the wrong cmstart.exe is because the third party software might have modified the environment path variables and put the path of its own cmstart.exe before Citrix’s cmstart.exe. Hence the variables provided by the third party software gets priority and that result’s in launching third party cmstart.exe instead of Citrix smstart.exe during the logon process.

This is the default environment path variable before the third party software Informatica installation :

%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;%SYSTEMROOT%System32WindowsPowerShellv1.0;C:Program Files (x86)Citrixsystem32

This is the modified environment path variable after the third party software Informatica installation :

C:Informatica9.5.0clientsDTbincmstart.exe;%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;%SYSTEMROOT%System32WindowsPowerShellv1.0;C:Program Files (x86)Citrixsystem32


WSS Block executables into zip file

I need a solution

Hello everyone

I need you help, in my portal of WSS I do a rule to block all executable files *.exe, according this KB

The rule work fine, but if the file *.exe is compress in file *.zip don´t work

Any idea of ​​why it does not work like that?


Andres Garcia





Error # 9100. Command name: CORRELATIONS Unable to load the executable library associated with the current command. Either the relevant option has not been installed, the library is not in the same directory as the SPSS Statistics executable, the library has been erased, or there is insufficient disk space for swapping. Execution of this command stops


Can’t open Properties of an exe file on Windows share

I need a solution

I have noticed longer times opening Properties for an exe file before, but maybe in 14 it became worse. Today i was trying to view exact size of a ~180 MB executable (installer) and just couldn’t. Waiting for minutes didn’t do anything and i couldn’t even restart after that as Windows was hanging on the Logging off screen (logon session hanging because of SEP messing around with Explorer). The only way to do this is to copy a file locally and then view the Properties, which is not convenient. I understand thaty resident has to do its job, but this is ridiculous. If i disable SEP everything works fine.