Identify Known Malware By Hash (MD5) Across Network












0















I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).



I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.



For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.



Any/all help is appreciated. Thanks!










share|improve this question













migrated from security.stackexchange.com Apr 16 '14 at 13:42


This question came from our site for information security professionals.























    0















    I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).



    I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.



    For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.



    Any/all help is appreciated. Thanks!










    share|improve this question













    migrated from security.stackexchange.com Apr 16 '14 at 13:42


    This question came from our site for information security professionals.





















      0












      0








      0








      I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).



      I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.



      For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.



      Any/all help is appreciated. Thanks!










      share|improve this question














      I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).



      I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.



      For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.



      Any/all help is appreciated. Thanks!







      hashing malware






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 15 '14 at 14:45









      MattMatt

      1819




      1819




      migrated from security.stackexchange.com Apr 16 '14 at 13:42


      This question came from our site for information security professionals.









      migrated from security.stackexchange.com Apr 16 '14 at 13:42


      This question came from our site for information security professionals.
























          3 Answers
          3






          active

          oldest

          votes


















          0














          Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.



          You need to get it to the various machines on the network and work out some communication solution between the machines.






          share|improve this answer































            0














            I don't know of any automatic solution that does this, but here are two ideas from the top of my head:




            • ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?


            • Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.


            Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.






            share|improve this answer

































              -1














              Thanks for your responses. This is what I'm hearing from some folks I know in the industry.



              This can be done with SEP possibly a couple of different way. Here is one reference:
              http://www.symantec.com/business/support/index?page=content&id=HOWTO80848



              There is a feature for this in Bit9/Carbon Black.
              https://www.bit9.com/solutions/carbon-black/



              Bigfix (IBM Endpoint Manager) can do this.
              ...couldn't post link



              Palo-Alto Firewall can hash files while still in transit....couldn't post link.



              Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.



              Thanks again!






              share|improve this answer
























              • This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                – Ramhound
                Apr 17 '14 at 22:02











              • Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                – Matt
                Apr 21 '14 at 19:29













              • you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                – Ramhound
                Apr 21 '14 at 19:40











              • Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                – Matt
                Apr 22 '14 at 13:37











              • As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                – Ramhound
                Apr 22 '14 at 13:40











              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f742464%2fidentify-known-malware-by-hash-md5-across-network%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              0














              Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.



              You need to get it to the various machines on the network and work out some communication solution between the machines.






              share|improve this answer




























                0














                Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.



                You need to get it to the various machines on the network and work out some communication solution between the machines.






                share|improve this answer


























                  0












                  0








                  0







                  Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.



                  You need to get it to the various machines on the network and work out some communication solution between the machines.






                  share|improve this answer













                  Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.



                  You need to get it to the various machines on the network and work out some communication solution between the machines.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 15 '14 at 21:26







                  user1736982
































                      0














                      I don't know of any automatic solution that does this, but here are two ideas from the top of my head:




                      • ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?


                      • Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.


                      Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.






                      share|improve this answer






























                        0














                        I don't know of any automatic solution that does this, but here are two ideas from the top of my head:




                        • ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?


                        • Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.


                        Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.






                        share|improve this answer




























                          0












                          0








                          0







                          I don't know of any automatic solution that does this, but here are two ideas from the top of my head:




                          • ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?


                          • Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.


                          Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.






                          share|improve this answer















                          I don't know of any automatic solution that does this, but here are two ideas from the top of my head:




                          • ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?


                          • Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.


                          Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited May 31 '17 at 8:39









                          Eknoes

                          1033




                          1033










                          answered Apr 15 '14 at 14:54









                          ExecutifsExecutifs

                          21619




                          21619























                              -1














                              Thanks for your responses. This is what I'm hearing from some folks I know in the industry.



                              This can be done with SEP possibly a couple of different way. Here is one reference:
                              http://www.symantec.com/business/support/index?page=content&id=HOWTO80848



                              There is a feature for this in Bit9/Carbon Black.
                              https://www.bit9.com/solutions/carbon-black/



                              Bigfix (IBM Endpoint Manager) can do this.
                              ...couldn't post link



                              Palo-Alto Firewall can hash files while still in transit....couldn't post link.



                              Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.



                              Thanks again!






                              share|improve this answer
























                              • This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                                – Ramhound
                                Apr 17 '14 at 22:02











                              • Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                                – Matt
                                Apr 21 '14 at 19:29













                              • you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                                – Ramhound
                                Apr 21 '14 at 19:40











                              • Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                                – Matt
                                Apr 22 '14 at 13:37











                              • As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                                – Ramhound
                                Apr 22 '14 at 13:40
















                              -1














                              Thanks for your responses. This is what I'm hearing from some folks I know in the industry.



                              This can be done with SEP possibly a couple of different way. Here is one reference:
                              http://www.symantec.com/business/support/index?page=content&id=HOWTO80848



                              There is a feature for this in Bit9/Carbon Black.
                              https://www.bit9.com/solutions/carbon-black/



                              Bigfix (IBM Endpoint Manager) can do this.
                              ...couldn't post link



                              Palo-Alto Firewall can hash files while still in transit....couldn't post link.



                              Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.



                              Thanks again!






                              share|improve this answer
























                              • This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                                – Ramhound
                                Apr 17 '14 at 22:02











                              • Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                                – Matt
                                Apr 21 '14 at 19:29













                              • you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                                – Ramhound
                                Apr 21 '14 at 19:40











                              • Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                                – Matt
                                Apr 22 '14 at 13:37











                              • As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                                – Ramhound
                                Apr 22 '14 at 13:40














                              -1












                              -1








                              -1







                              Thanks for your responses. This is what I'm hearing from some folks I know in the industry.



                              This can be done with SEP possibly a couple of different way. Here is one reference:
                              http://www.symantec.com/business/support/index?page=content&id=HOWTO80848



                              There is a feature for this in Bit9/Carbon Black.
                              https://www.bit9.com/solutions/carbon-black/



                              Bigfix (IBM Endpoint Manager) can do this.
                              ...couldn't post link



                              Palo-Alto Firewall can hash files while still in transit....couldn't post link.



                              Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.



                              Thanks again!






                              share|improve this answer













                              Thanks for your responses. This is what I'm hearing from some folks I know in the industry.



                              This can be done with SEP possibly a couple of different way. Here is one reference:
                              http://www.symantec.com/business/support/index?page=content&id=HOWTO80848



                              There is a feature for this in Bit9/Carbon Black.
                              https://www.bit9.com/solutions/carbon-black/



                              Bigfix (IBM Endpoint Manager) can do this.
                              ...couldn't post link



                              Palo-Alto Firewall can hash files while still in transit....couldn't post link.



                              Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.



                              Thanks again!







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered Apr 17 '14 at 21:53









                              MattMatt

                              1819




                              1819













                              • This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                                – Ramhound
                                Apr 17 '14 at 22:02











                              • Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                                – Matt
                                Apr 21 '14 at 19:29













                              • you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                                – Ramhound
                                Apr 21 '14 at 19:40











                              • Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                                – Matt
                                Apr 22 '14 at 13:37











                              • As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                                – Ramhound
                                Apr 22 '14 at 13:40



















                              • This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                                – Ramhound
                                Apr 17 '14 at 22:02











                              • Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                                – Matt
                                Apr 21 '14 at 19:29













                              • you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                                – Ramhound
                                Apr 21 '14 at 19:40











                              • Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                                – Matt
                                Apr 22 '14 at 13:37











                              • As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                                – Ramhound
                                Apr 22 '14 at 13:40

















                              This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                              – Ramhound
                              Apr 17 '14 at 22:02





                              This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.

                              – Ramhound
                              Apr 17 '14 at 22:02













                              Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                              – Matt
                              Apr 21 '14 at 19:29







                              Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.

                              – Matt
                              Apr 21 '14 at 19:29















                              you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                              – Ramhound
                              Apr 21 '14 at 19:40





                              you don't have to thank people for answers in an answer you post. This isn't a discussion forum.

                              – Ramhound
                              Apr 21 '14 at 19:40













                              Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                              – Matt
                              Apr 22 '14 at 13:37





                              Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.

                              – Matt
                              Apr 22 '14 at 13:37













                              As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                              – Ramhound
                              Apr 22 '14 at 13:40





                              As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.

                              – Ramhound
                              Apr 22 '14 at 13:40


















                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f742464%2fidentify-known-malware-by-hash-md5-across-network%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Probability when a professor distributes a quiz and homework assignment to a class of n students.

                              Aardman Animations

                              Are they similar matrix