This article contains information on Sophos Labs' response to customers requesting information on file hashes that have been identified by third-parties as either malicious files or as IoCs (Indicators of Compromise).
Although hashes are used as a mainstay, in regards to the above, in reports or advisories for either crime prevention organisations or government bodies they are unfortunately not the best way of understanding whether you are protected against a particular threat.
The below article aims to help explain the reasons behind this and also to educate customers in how they can understand if they are protected. The following sections are covered:
A hash (often referred to as an MD5, SHA1 or SHA256 hash or value) is intended to be a unique value that can relate to one particular file. This can be based off file size, structure, name and details; and is usually used to ensure that a particular file is in fact the file that you think it is. When it comes to hashes for "malicious" files or IoCs the assumption is that if your antivirus software detects that particular hash then you are protected against the documented threat (or at least the part of it that that file is responsible for).
For example (taken from our article Living off another land: Ransomware borrows vulnerable driver to remove security software):
We saw that the named files had the specific SHA256 hashes mentioned above.
We can generally assume that a particular hash relates to a particular file. Therefore we can assume that blocking that file will protect against a particular threat from that file. However the issue comes when you think about how we gather and implement this behaviour. For this to work (as a security vendor) you need to create one detection for each individual hash and therefore each individual file; given the potential trillions of file combinations this becomes unfeasible and is why most security vendors have not solely relied on legacy identity based solutions for a significant amount of time in favour of next-gen solutions (such as Sophos Intercept X and Sophos Deep Learning).
Traditional antivirus solutions (including Sophos Antivirus) also widely make use of "generic" detections that work on looking for common file structures or other file properties to identify files that (although we do not have a specific detection for) we would flag and detect as being similar enough to other known malware to warrant blocking. Without a sample of the particular file in question we cannot tell whether or not a file related to a particular hash is protected by these "generic" detections.
The real problem arises when a customer requests information on whether we protect against a particular threat and the only information that the customer has available is the file hash. With the file hash we can define:
However beyond the above there is not much more information we can gather. If the file hash does not match a file that we have seen before then all we can define is that we haven't seen the file before. In the days of traditional identity based antivirus solutions this could indicate that we do not protect against the threat provided by that file. However with the advent of next-gen security solutions there is more protection at hand.
As discussed above a static legacy hash based detection relies on a security vendor having seen a particular unique instance of a file. Next-gen security software does not require this and can detect a malicious or suspicious file on a number of different metrics, including:
With the above information we can either build up a picture of the file to allow a solution (such as Sophos Intercept X with Deep Learning) to make an educated decision on a file or block outright on purely malicious behaviour (such as with Sophos Cryptoguard). This advanced picture also allows security vendors to right rules (rather than identities) to allow security software to catch many files with one rule; rather than one file with one identity.
Sophos provides the below functionality, provided by the following components:
The only way to guarantee that you are protected against a particular threat or file is to provide Sophos Labs with a sample of that file. This can be submitted by following the guidelines in this article. Submitting a sample allows Sophos Labs to safely execute the file and validate if the behaviour it exhibits, the structure of the file itself or its reputation data are already detected by Sophos. Without a sample of a file all we can do is determine if we have seen the particular file before.
If all you have been provided with is the hash of a file then you can input this hash into Virus Total to determine if Sophos have seen this file before. However please remember that just because Sophos have not seen a file does not mean that we do not protect against any threat it may exhibit. We can only 100% confirm this by analysing a sample of the particular file as hashes do not take into account additional protection provided by behaviour based, structure based or reputation based scanning solutions.
If you are concerned that you may not be a protected then the below guidelines are a general rule:
If you are a customer of Sophos Intercept X with EDR then you can specify particular SHA256 hashes for executable files that you wish to block and clean in your environment. This can provide some pre-emptive protection against unknown hash based threats on top of the other next-gen functionality provided by Sophos Intercept X with EDR.
Alternatively if you need the ability to check Sophos Labs data on a regular basis for sample files, URL categorization queries or other threat intelligence you may be interested in Sophos Labs Intelix.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.