search cancel

File hash values in DCS IPS events.

book

Article ID: 175332

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

You are wondering, if DCS can display file hash values in IPS events: when a file is blocked, display the hash value of the file being blocked or, display the hash value of the acting process.

The Intrusion Detection system (IDS) of DCS is capable of reporting on MD5 and SHA256 values so can IPS do it as well?

Environment

DCS Agent installed on a Windows operating system with Intrusion Prevention System (IPS) enabled. 

Resolution

DCS only collects hashes for IDS FileWatch events to say if a file has changed.

In IPS, we can use the hash value to specify if a process is allowed to run but these values are supplied by the customer.

Additionally, running a hash check against all files monitored by IPS policy would be a very resource-intensive task. It would excessively impact the system and not allow DCS to run leanly.