none
Using applocker to deny by hash rule

    Question

  • Is there a way to block a file by hash without actually having the file?  This was trivial in server 2003 software restriction policies.  I could paste a hash into a rule, and it did it's job.  Now it appears that I need to have the file to calculate the hash.  This won't work in my scenario, as I am trying to block a particular piece of malware who's hash is known, but I don't actually have an instance of the file itself.  I can't seem to do this with software restriction policies or applocker.
    • Edited by steelie Thursday, February 12, 2015 1:15 PM
    Thursday, February 12, 2015 1:14 PM

Answers

All replies

  • > Is there a way to block a file by hash without actually having the file?
     
    Short, but unsatisfying answer: No.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by steelie Thursday, February 12, 2015 1:49 PM
    Thursday, February 12, 2015 1:47 PM
  • Any reason you know of why this capability no longer exists?
    Thursday, February 12, 2015 1:49 PM
  • > Any reason you know of why this capability no longer exists?
     
    "No longer"? In terms of AppLocker, it never did. And SRP is still
    available for you :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 13, 2015 11:15 AM
  • Not with the newer version of SRP.  With the old version of SRP (Server 2003) I could just paste a hash into the rule, without needing the file... the newer version of SRP (Server 2008) will not allow me to use a hash without providing the file... and you are correct that AppLocker has never had this ability.  This is a pretty significant shortcoming, in my opinion.

    Friday, February 13, 2015 12:40 PM
  • > has never had this ability.  This is a pretty significant shortcoming,
    > in my opinion.
     
    Hm - I see your point, but I don't fully agree with "shortcoming". Hash
    rules to deny are as easy to circumvent as path rules to deny :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 5:31 PM
  • Sure they are easy to circumvent, only if you are aware of the blocking rule, and the malware can realize it's being blocked and mutate/regenerate itself.  That's a pretty small bucket of malware, and since 99% of the malware out there is not intelligently designed, the hash blocking rules would be pretty useful.  It still is the method of choice for most AV researchers.  Guess I'll need to use third-party tools... (http://md5deep.sourceforge.net/ is a good one for anyone else who may be interested.)  

    Once again, a useful feature that used to exist natively in Windows, but was removed for whatever reason...

    Tuesday, February 24, 2015 2:10 PM