Symantec Endpoint Protection has detected a file and successfully deleted or quarantined it. The pop-up notification presents the name of the threat, but this display name can be a very broad family (for example, Trojan.Horse). Is there a way to determine the unique hash of that detected file so that administrators can see if this exact file is the same Trojan.Horse as is being seen elsewhere in the organization?
Though it is not displayed by default, it is possible to see the unique hash of a file detected either from the SEP client or from a Risk log exported from the Symantec Endpoint Protection Manager (SEPM).
Viewing the SHA-256 on SEP Client
Viewing the SHA-256 on the Symantec Endpoint Protection Manager
Please note: Using the hashes seen in this report are a very crude method for determining if the same variant is being seen throughout the organization. The SHA is not always available to SEP, malware authors use different packers and other tools to create different hashes for the same threats, file infecting threats will always show different hashes, and polymorphic threats will similarly always have different hashes.
Still, in certain circumstances, this sort of analysis can be quite useful for a security administrator. Does one computer have the exact same Trojan.Horse variant detected over and over again (indicating that an undetected process is continuously attempting re-infection) or is it infected with several distinct threats which fall into the Trojan.Horse family? Or: several computers across the organization have all encountered the exact same Downloader variant. What website have they all visited? If that is an intranet URL, the security administrator should examine that webserver immediately.