Why does this SHA256 hash not match the data in the Console?

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

Some files include date, location, or other context-specific information not relevant for tracking purposes. For file types known to do this (such as MSI files) App Control will use a unique Fuzzy Hashing Algorithm that eliminates this variation. When this algorithm has been used, the SHA-256 hash is identified in the Console as "SHA-256 (Normalized)". This algorithm will affect Global and Local Approvals of a SHA-256 Normalized file in two ways:

• Importing SHA-256 hashes that contain MSI files from another source may result in the associated File Rule becoming ineffective in App Control.
• The Agent hashes the whole file for MD5 and SHA-1 values, which could contain the context-specific information. The resulting MD5 or SHA-1 hash may be unique for each machine it is created on, and a File Rule that relies on this value may become ineffective in App Control.

Due to these issues; the best practice for Approving or Banning the hash of an MSI file is to use the SHA-256 (Normalized) hash created by App Control. Other hash types, and hashes imported from elsewhere, should be avoided.

• By default the External Events will rely on the MD5 hash. If an MD5 hash is not available for the File or Event the SHA-256 value will be used instead. This could lead to a discrepancy between what is observed in the External Event compared to what was reported by the Agent.
• More information on this can be found in the App Control User Guide Chapter, "File, Publisher and Application Information" as well as the chapter, "Approving and Banning Software".
• The following commands can be used on a machine that has an Agent to verify whether the file will return a Fuzzy (Normalized) hash or not:

  cd "C:\Program Files (x86)\Bit9"
  dascli hash sha256 "C:\Path\To\Installer.msi"