How to determine the unique hash of a file detected by Symantec Endpoint Protection

book

Article ID: 158528

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection has detected a file and successfully deleted or quarantined it.  The pop-up notification presents the name of the threat, but this display name can be a very broad family (for example, Trojan.Horse).  Is there a way to determine the unique hash of that detected file so that administrators can see if this exact file is the same Trojan.Horse as is being seen elsewhere in the organization?

Resolution

Though it is not displayed by default, it is possible to see the unique hash of a file detected either from the SEP client or from a Risk log exported from the Symantec Endpoint Protection Manager (SEPM). 

 

Viewing the SHA-256 on SEP Client

  1. Open the SEP client interface.
  2. Click View Logs
  3. Beside Virus and Spyware Protection, click View Logs, Risk Log
  4. Double click the entry in question to display the Risk Details.  If the hash is known, it will be displayed.

 

Viewing the SHA-256 on the Symantec Endpoint Protection Manager

  1. Open the SEPM console.
  2. Select Monitors, Logs.
  3. Run a report of Log Type: Risk. 
  4. Export the report generated
  5. Open the report .csv in a spreadsheet program.  The Application Hash is included in this report, though it was not displayed on screen in the SEPM console.
  6. It is then possible to filter by Computer Name, by Application Hash, and so on for analysis of the data.

 

Please note: Using the hashes seen in this report are a very crude method for determining if the same variant is being seen throughout the organization.  The SHA is not always available to SEP, malware authors use different packers and other tools to create different hashes for the same threats, file infecting threats will always show different hashes, and polymorphic threats will similarly always have different hashes.

Still, in certain circumstances, this sort of analysis can be quite useful for a security administrator.  Does one computer have the exact same Trojan.Horse variant detected over and over again (indicating that an undetected process is continuously attempting re-infection) or is it infected with several distinct threats which fall into the Trojan.Horse family?  Or: several computers across the organization have all encountered the exact same Downloader variant. What website have they all visited?  If that is an intranet URL, the security administrator should examine that webserver immediately. 


Attachments