This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hash file

Hi,

 

We have SCE 5.5.1. We are interested in having the file hash when Sophos detects that it is a threat. We want to be able to use this hash to integrate it with our SIEM and be able to analyze it with Virustotal automatically.

Other antivirus stores this value without problems.

I have seen that in the database there is a field for the hash value but it is only filled in when the threat is from a file already registered in SCE, therefore 99% of rows in the database with files detected as threats do not have value.

 

Add this value to the database, it costs nothing and I do not understand how it is implementing how the rest of the antivirus in the market. Every day I am more disenchanted with the product and we value change.

We have called for support and they indicate that they have no idea and can not help me and that they can do this consultation in the community. If they do not know it or they do not want to ask the question to another level or department of Sophos ... it leaves much to be desired.

 

Thanks

 

Regards



This thread was automatically locked due to age.
Parents
  • Hello SistemasSanLucar,

    others have it is a legitimate interjection but not necessarily proof of value.

    analyze it with Virustotal
    AFAIK one doesn't analyze hashes with VirusTotal - unless you call obtaining the other vendors' verdicts analysis. And even if just one vendor (whatever vendor) assesses a file a threat and all others say it's clean the one might nevertheless be right - especially with new threats. Speaking of new threats - the whole procedure is useless if the hash isn't known at VirusTotal - is it?

    No derision intended - what is the value of submitting the hash via your SIEM? what do you do with the results?

    Christian

Reply
  • Hello SistemasSanLucar,

    others have it is a legitimate interjection but not necessarily proof of value.

    analyze it with Virustotal
    AFAIK one doesn't analyze hashes with VirusTotal - unless you call obtaining the other vendors' verdicts analysis. And even if just one vendor (whatever vendor) assesses a file a threat and all others say it's clean the one might nevertheless be right - especially with new threats. Speaking of new threats - the whole procedure is useless if the hash isn't known at VirusTotal - is it?

    No derision intended - what is the value of submitting the hash via your SIEM? what do you do with the results?

    Christian

Children
  • Hi

    It is clear that Virustotal may not have scanned the file and therefore not have the hash stored but you can launch the file for a new scan and make it available to the community in case there is a subsequent matching of other users.

    It is also clear that hashes can be changed, but they are not always changed.

    It is to have a tool that can help and in some cases it will be helpful and in others it will not.

    My intention is to always have the infections detected by Sophos, its hash and the verdict of Virustotal. Even report me automatically when a virus is detected by Sophos the second verdict if it exists from Virustotal.

    What I have clear that right now I can not do it because Sophos does not keep that hash value (unless someone tells me otherwise).

    But if many of the most important antivirus and do not have it ... for something will be. It costs very little to have that functionality.

    Implementing what you want is very easy but I can not because Sophos does not have the file's hash.

    What I see, is that you are trying to divert that lack. Making see that it is something not necessary, without foundation, not useful, etc.

    Many products use the cloud to send, scan and exchange the information of the hash files. Many of these products are in the Gartner quadrant above Sophos. If they use it, it will be because they have some use.

    www.gartner.com/.../endpoint-protection-platforms

    In a day 0 attack, you start to see the samples and the relationships are made. It may always be that your file may or may not match or may do so on days.

    Regards

  • Hello SistemasSanLucar,

    sorry for the delayed reply.
    you are trying to divert that lack
    Obviously I haven't made my motivation clear, I'll try to explain. Apparently you want some additional functionality. As every commercial producer Sophos weighs costs and yields. While you can say It costs very little or Implementing [...] is very easy you normally need detailed knowledge of the product's working to substantiate such statements.
    Assuming that, contrary to your presumption, the costs are non-negligible you'd have to provide more "convincing" arguments. Convincing meaning that either Marketing is confident this will attract customers, Development can see additional uses and make a case, or other customers "buy" your idea so that there is enough demand.

    Christian