Identify Known Malware By Hash (MD5) Across Network
I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).
I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.
For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.
Any/all help is appreciated. Thanks!
hashing malware
migrated from security.stackexchange.com Apr 16 '14 at 13:42
This question came from our site for information security professionals.
add a comment |
I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).
I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.
For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.
Any/all help is appreciated. Thanks!
hashing malware
migrated from security.stackexchange.com Apr 16 '14 at 13:42
This question came from our site for information security professionals.
add a comment |
I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).
I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.
For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.
Any/all help is appreciated. Thanks!
hashing malware
I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).
I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.
For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.
Any/all help is appreciated. Thanks!
hashing malware
hashing malware
asked Apr 15 '14 at 14:45
MattMatt
1819
1819
migrated from security.stackexchange.com Apr 16 '14 at 13:42
This question came from our site for information security professionals.
migrated from security.stackexchange.com Apr 16 '14 at 13:42
This question came from our site for information security professionals.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.
You need to get it to the various machines on the network and work out some communication solution between the machines.
add a comment |
I don't know of any automatic solution that does this, but here are two ideas from the top of my head:
- ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?
Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.
Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.
add a comment |
Thanks for your responses. This is what I'm hearing from some folks I know in the industry.
This can be done with SEP possibly a couple of different way. Here is one reference:
http://www.symantec.com/business/support/index?page=content&id=HOWTO80848
There is a feature for this in Bit9/Carbon Black.
https://www.bit9.com/solutions/carbon-black/
Bigfix (IBM Endpoint Manager) can do this.
...couldn't post link
Palo-Alto Firewall can hash files while still in transit....couldn't post link.
Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.
Thanks again!
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f742464%2fidentify-known-malware-by-hash-md5-across-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.
You need to get it to the various machines on the network and work out some communication solution between the machines.
add a comment |
Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.
You need to get it to the various machines on the network and work out some communication solution between the machines.
add a comment |
Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.
You need to get it to the various machines on the network and work out some communication solution between the machines.
Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.
You need to get it to the various machines on the network and work out some communication solution between the machines.
answered Apr 15 '14 at 21:26
user1736982
add a comment |
add a comment |
I don't know of any automatic solution that does this, but here are two ideas from the top of my head:
- ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?
Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.
Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.
add a comment |
I don't know of any automatic solution that does this, but here are two ideas from the top of my head:
- ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?
Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.
Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.
add a comment |
I don't know of any automatic solution that does this, but here are two ideas from the top of my head:
- ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?
Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.
Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.
I don't know of any automatic solution that does this, but here are two ideas from the top of my head:
- ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?
Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.
Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.
edited May 31 '17 at 8:39
Eknoes
1033
1033
answered Apr 15 '14 at 14:54
ExecutifsExecutifs
21619
21619
add a comment |
add a comment |
Thanks for your responses. This is what I'm hearing from some folks I know in the industry.
This can be done with SEP possibly a couple of different way. Here is one reference:
http://www.symantec.com/business/support/index?page=content&id=HOWTO80848
There is a feature for this in Bit9/Carbon Black.
https://www.bit9.com/solutions/carbon-black/
Bigfix (IBM Endpoint Manager) can do this.
...couldn't post link
Palo-Alto Firewall can hash files while still in transit....couldn't post link.
Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.
Thanks again!
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
add a comment |
Thanks for your responses. This is what I'm hearing from some folks I know in the industry.
This can be done with SEP possibly a couple of different way. Here is one reference:
http://www.symantec.com/business/support/index?page=content&id=HOWTO80848
There is a feature for this in Bit9/Carbon Black.
https://www.bit9.com/solutions/carbon-black/
Bigfix (IBM Endpoint Manager) can do this.
...couldn't post link
Palo-Alto Firewall can hash files while still in transit....couldn't post link.
Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.
Thanks again!
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
add a comment |
Thanks for your responses. This is what I'm hearing from some folks I know in the industry.
This can be done with SEP possibly a couple of different way. Here is one reference:
http://www.symantec.com/business/support/index?page=content&id=HOWTO80848
There is a feature for this in Bit9/Carbon Black.
https://www.bit9.com/solutions/carbon-black/
Bigfix (IBM Endpoint Manager) can do this.
...couldn't post link
Palo-Alto Firewall can hash files while still in transit....couldn't post link.
Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.
Thanks again!
Thanks for your responses. This is what I'm hearing from some folks I know in the industry.
This can be done with SEP possibly a couple of different way. Here is one reference:
http://www.symantec.com/business/support/index?page=content&id=HOWTO80848
There is a feature for this in Bit9/Carbon Black.
https://www.bit9.com/solutions/carbon-black/
Bigfix (IBM Endpoint Manager) can do this.
...couldn't post link
Palo-Alto Firewall can hash files while still in transit....couldn't post link.
Don't get me wrong. Free/open source is great. It's usually a tradeoff for how much customization/implementation work you will need to do on your own.
Thanks again!
answered Apr 17 '14 at 21:53
MattMatt
1819
1819
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
add a comment |
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
This really isn't an answer to your question. Since this is not a forum I have to downvote this answer since its more of a "response" then an actual answer.
– Ramhound
Apr 17 '14 at 22:02
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
Hi...my original problem was stated as: "I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred)." I lised solutions that accomplish this and included the link that references either how or the confirmation that it can be done. I was attempting to provide the solution, not just have a discussion.
– Matt
Apr 21 '14 at 19:29
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
you don't have to thank people for answers in an answer you post. This isn't a discussion forum.
– Ramhound
Apr 21 '14 at 19:40
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
Still confused because your first response was that my reply really wasn't an answer. Now the issue is that I said "thank you". I see thousands of examples of this here. You obviously have some serious experience here, so I'll do my best to comply going forward.
– Matt
Apr 22 '14 at 13:37
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
As I indicate this question seems more of like a response to the other answers instead of being an answer that stands by itself.
– Ramhound
Apr 22 '14 at 13:40
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f742464%2fidentify-known-malware-by-hash-md5-across-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown