CB Defense: Upload Reputations Function Fails For Non-SHA256 Hashes
Article ID: 286325
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
When using the bulk Upload Reputations function:
1. The reputations from the uploaded CSV do not appear on the reputation page
2. When viewing the Uploaded History you receive an Error message under the Status column
1. The reputations from the uploaded CSV do not appear on the reputation page
2. When viewing the Uploaded History you receive an Error message under the Status column
Environment
- PSC Console: All Supported Versions
Cause
The Upload Reputations function requires SHA256 hashes
Resolution
- Verify the csv is properly formatted with no column headings in this format: [WHITE_LIST, BLACK_LIST],SHA256,HASH,Description, Name
- Use only SHA256 hashes
Additional Information
The exact error message can be seen by using developer tools and capturing a HAR file as described here:
https://community.carbonblack.com/t5/Knowledge-Base/How-To-Collect-A-Har-File-Using-Chrome/ta-p/62472
When using the developer tools:
1. On the Enforce => Reputation => Upload => Upload History page
2. Open the developer tools
3. Reload the page
4. Select the Network tab
5. Select Preview
6. Select ORG_INDICATOR_LIST
7. Select one of the Numbered lists that match the Uploaded History list
8. Look for an errorMessage equal to either:
Here is a screenshot of what this will look like using Chrome developer tools:
Verify your hash lengths. For example here are the hashes for a version of Powershell.exe:
MD5 [32 char]: 852d67a27e454bd389fa7f02a8cbe23f
SHA1 [40 char]: 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 [64 char]: a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
https://community.carbonblack.com/t5/Knowledge-Base/How-To-Collect-A-Har-File-Using-Chrome/ta-p/62472
When using the developer tools:
1. On the Enforce => Reputation => Upload => Upload History page
2. Open the developer tools
3. Reload the page
4. Select the Network tab
5. Select Preview
6. Select ORG_INDICATOR_LIST
7. Select one of the Numbered lists that match the Uploaded History list
8. Look for an errorMessage equal to either:
errorMessage: "Indicator Type SHA1 is invalid at line: [%]"
errorMessage: "Sha256Hash %a_hash_value% should be of length: 64 at line: [%]"
errorMessage: "Sha256Hash %a_hash_value% should be of length: 64 at line: [%]"
Here is a screenshot of what this will look like using Chrome developer tools:
Verify your hash lengths. For example here are the hashes for a version of Powershell.exe:
MD5 [32 char]: 852d67a27e454bd389fa7f02a8cbe23f
SHA1 [40 char]: 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 [64 char]: a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
Feedback
Yes
No
Powered by
