search cancel

Manually Define File Reputation

book

Article ID: 175038

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

To prevent unnecessary scanning and analysis on files for which your organization has identified a reputation, you can add a SHA1 hash to Content Analysis with the manual Whitelist/Blacklist configuration page. This service requires no additional subscription license; it is included with the base license for the appliance.

Resolution

During file processing, Content Analysis will check these lists before reaching out to the cloud-based File Reputation service. Unlike the cloud service, the manual whitelist/blacklist configuration results in either an allow or deny, with no further analysis. If the hash exists in either list, the file will either be permitted without further analysis (whitelist) or denied without further processing (blacklist).

Tip: To report false positives go to this link: https://symsubmit.symantec.com

Tip: This feature is based on the SHA1 hash of files. You can use your favorite third party tools (web-based and offline) to generate a SHA1 hash to use in your whitelist/blacklist configuration.

Search for known file hashes

If you're not sure if the file you're looking to block or allow has been added to Content Analysis before, you can search each reputation list.

  1. Select Services > Whitelist/Blacklist.
  2. Paste the SHA1 hash for a file in the Search for Hash field in either the whitelist or blacklist. Click Search.

  3. The Search Results dialog appears.
    1. If the search finds the supplied hash in the selected list, the Search Results dialog will advise that the hash exists in the custom blacklist or whitelist.
    2. If you wish to remove the file from the selected list, click Remove in the Search Results dialog.
    3. If the search does not locate the hash in the selected list, the Search Results dialog will advise that the hash does not exist in the custom blacklist or whitelist.
    4. If you wish to add the file to the selected list, click Add in the Search Results dialog.
    5. (Optional) When prompted, add a comment to identify the submission.

Add a file hash to file reputation lists

If you know that the a hash does not exist in the file reputation list you are working with, you can add it.

  1. Paste the SHA1 hash for a file to either Add Hash to Blacklist or Add Hash to Whitelist fields, depending on whether you would like to block or allow user access to this file in future download attempts.

  2. Optional — When prompted, add a comment to identify the submission.
    • If the file is already in the hash reputation list, Content Analysis displays an error message.

Export the hash blacklist or whitelist to a file

Whenever you make changes to either hash reputation list, it's a good idea to back up that list. Perform that backup with Export.

  1. Under Bulk Operations in either the Blacklist or Whitelist section, click Export.
  2. You are prompted to save a CSV file containing your hash reputation list. The CSV file is named either blacklist or whitelist, followed by the date (for example, blacklist_2015-12-01.csv).

Import the hash blacklist or whitelist from a file

If you have a file reputation list that you have previously saved, you can import it into Content Analysis.

  1. Under Bulk Operations in either the Blacklist or Whitelist section, click Import.
  2. You are prompted to browse for a CSV. Locate the desired file and click Open. When the upload is complete, the browser displays a confirmation dialog.