Hello Everyone,
Is there anyway to block list of HASH files in ADC policy using txt file. Its difficult to manually block one by one so please let me know if we can export the file to block all the hashes.
Hello I don’t know if this is the right place to post this but our Symantec Endpoint Protection just flagged SEP_SupportTool.exe as potiential malware and deleted the file. The SHA-256 HASH of the file is A87D1A8EFCD1B8628861E949ED9E8774928E72482CEC74483F70400A8C8E94CC
I was wondering if anyone else was getting hit by these notifications and also can someone verify that this file is from Symantic?
Hello everyone,
I have been using the RESTful API for managing file fingerprint lists on my SEP Manager, for system lockdown blacklisting. This is done by means of a python script that accpepts MD5 hashes via CSV and updates the related fingerprint list on the manager using the ‘update an existing blacklist‘ API function. This API function appears to overwrite the particular fingerprint file entirely, with the set of file hashes provided. Wherein, ideally, I would want to ‘append’ the existing set of hashes with the new list within the same fingerprint file. I would like to know if this feature is available via API or if it will be made available in the future. This would greatly help automation scripts to easily add and remove hashes from a fingerprint file.
Just started to test SEP 15, and installed it on my test machine using the default policy.
It identified a file, NTOSKRNL.EXE, with the following filehash:
5379732000000000000000000000000000000000000000000000000000000000
This hash is not correct, as using the powershell get-filehash command provides this instead:
C732B1DD3480285B6666641BC417A0C897884331229F47B055B79A9E42DF4282
Which is a known file on VT. Any idea why Symantec’s hash calculation would be incorrect? Or what I should do next?
Hi All,
I’m wondering if there’s a way to add mutiple MD5 hashes at once to an Application Control Rule Set. Or do they have to be added one at a time by chosing “Add” and going through the steps for each one?
| Article Number: 504576 | Article Version: 6 | Article Type: Break Fix |
Avamar Server,Avamar Server 7.5.0-183
In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects both a message’s data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
The sshd_config for Avamar 7.5.x or greater version supports the following MACs:
grep MAC /etc/ssh/sshd_config
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,umac-128@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160PermitEmptyPasswords no
/var/log/messages can show the following error when logged via a console such as lights out port (RMC for Gen4t, RMM for Gen4s, vSphere Console for AVEs etc):
Oct 30 12:27:19 testavamar sshd[6087]: fatal: no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5 server hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,umac-128@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160
PuTTY releases less than version 0.63 doesn’t support these MACs
Recent install of a 7.5.x system
MAC entries were added to the sshd config file (/etc/ssh/sshd_config) on the Avamar Server
Download a PuTTY version that is greater than or equal to 0.63 and then ssh into the Avamar Server.
Note: As of September 28, 2017, the latest version of PuTTy is 0.70
hi everyone,
I’ve been doing it all day and still can’t find a solution..
I’m working with SA 7.3.4.
configured custom hash list via this guide -> https://origin-symwisedownload.symantec.com/resour…
now after I send a test file that I have entered to this list I can see in the reputation that custom hash list VERDICT=10
I have tried to create a rule (with syslog and mail alerts) that will catch all this “black” files..
hope you guys can help 🙂
You can get the bucket-wipe tool here:
WARNING: This will erase the bucket and all of its data! Please make absolutely sure this is what you want.
http://130753149435015067.public.ecstestdrive.com/share/bucket-wipe-1.9.jar
usage: java -jar bucket-wipe.jar [options] <bucket-name>
-a,--access-key the S3 access key
-e,--endpoint the endpoint to connect to, including
protocol, host, and port
-h,--help displays this help text
-hier,--hierarchical Enumerate the bucket hierarchically. This
is recommended for ECS's
filesystem-enabled buckets.
--keep-bucket do not delete the bucket when done
-l,--key-list instead of listing bucket, delete objects
matched in source file key list
--no-smart-client disables the ECS smart-client. use this
option with an external load balancer
-p,--prefix deletes only objects under the specified
prefix
-s,--secret-key the secret key
--stacktrace displays full stack trace of errors
-t,--threads number of threads to use
--vhost enables DNS buckets and turns off load
balancer
Hi,
I like to know how is the report form SONAR detection in the sepm console, this is because in Reports/Risk/SONAR Detection Results in the past mounth only show:
| Indicator | Number | Percentage | |
| Permitted Applications | 0 | 0.0% | |
| Confirmed Risks | 0 | 0.0% | |
| Detected Risks Not Confirmed | 3 | 100% |
| Application Name | Application Version | Hash Type / Application Hash | Computer | Company Name |
| Sistema operativo Microsoft® Windows® | 10.0.14409.1005 | SHA-256 70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce |
099W6671-VMWIN7 | Microsoft Corporation |
| Sistema operativo Microsoft® Windows® | 6.1.7600.16385 | SHA-256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
099W6671-VMWIN7 | Microsoft Corporation |
| Sistema operativo Microsoft® Windows® | 6.1.7601.17514 | SHA-256 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae |
099W6671-VMWIN7 | Microsoft Corporation |
An in the Risk Distribution by Protection Technology to last mounth show :
| SONAR Detection |
117 |
| SONAR Detection | 117 | 1.9 | |||
| SONAR.MSOffice!g26 | 95 | 1.5 | |||
| SONAR.Powershell!g25 | 12 | 0.2 | |||
| SONAR.PsEmpire!gen8 | 10 | 0.2 |