This topic introduces hash filters as a method of marking files in Security Analytics Malware Analysis that are known to be good or known to be bad. Hash filtering allows you to maintain a list of known good or known bad file hashes. In the Hash tab, you can fine tune Security Analytics Malware Analysis event analysis based on file hashes. When a file hash is marked as Good, Malware Analysis does not analyze the file the next time it is seen. When a file hash is marked as Bad, Malware Analysis automatically raises the file’s community score by a large number of points. Malware Analysis still analyzes the file, just in case new information becomes available.
Note: If an event contains a single file and that file’s hash is marked as Good, Malware Analysis filters the entire event and you do not see it in Malware Analysis results.
To add hash filters to the hash list, you can use either of these manual methods:
- Context menu add in the Event Detail view: Right-click on a file, and a context menu allows marking of the hash for the selected file as Good (Normal) or Bad (Malicious).
- Hash tab toolbar: Click on the Add button in the Hash tab to add a file hash, file size, and optionally, mark the hash as trusted.
There is also an automated method to add hash filters to Security Analytics Malware Analysis by importing a hash list in bulk from the watched folder. Hashes imported through the watched folder do not appear in the hash list. With bulk importing and the watched directory (/var/lib/rsamalware/spectrum/hashWatch) on the Malware Analysis server set up, copy a hash list into the watched folder to be automatically imported into the system. Hashes imported using the bulk import method overwrite hashes that were previously imported through the watched folder.
View the Hash List
To view the Hash List:
- In the Security Analytics menu, select Administration > Services.
- In the Services view, select a Malware Analysis service, and select > View > Config.
- Select the Hash tab.
The hash list is displayed in the Hash tab. Only file hashes that have been added using one of the methods are displayed.
Add a File Hash to the Hash Filter
To add a file hash to the hash filter:
- In the Hash tab, in the toolbar, click Add.
The Add Hash dialog is displayed.
- If the hash is trusted, select Trusted.
- Enter the MD5 hash and the file size in bytes.
- Click Save
The file hash is added to the hashes and used to perform hash filtering in Security Analytics Malware Analysis.
Mark a Hash as Trusted or Untrusted
To mark a file hash as trusted or untrusted:
- In the Hash tab, to toggle between trusted and untrusted, click in the Trusted column for the hash.
- In the toolbar, click Save Edit.
Delete a Hash from the Hash Filter
To delete a hash from the hash filter:
- In the Hash tab, select one or more hashes that you want to remove from the hash filter.
- In the toolbar, click Delete.
A dialog requests confirmation and offers an opportunity to cancel.
- To confirm the deletion, click Yes.
The file hash is deleted from the grid and no longer used to perform hash filtering in Security Analytics Malware Analysis.
Search for a File Hash
In the Hash tab, you can search for a file hash that is displayed in the grid. In the MD5 field, type the file hash for which you are searching, and click Search. The list of files that contain the hash is displayed in the grid.
Import a Hash List Using the Watched Folder
To import a hash list from the watched directory, the hash list must be in the specified format and must be sorted on md5. You can drop a file formatted as described below into a folder (/var/lib/rsamalware/spectrum/hashWatch) on the Malware Analysis appliance, and it is automatically imported into the local hash database. This is the only way to import file hashes into Security Analytics. An additional use case is to allow a system administrator to expose the watched directory to some process that would push a file to this directory. This is a bulk import method designed to handle a high volume of hash imports.
This is a csv-formatted file with no spaces between the data in each row. The assumption with the data in the hash list is that there are no duplicates. Duplicates are ignored during processing. If duplicate hashes are encountered, the log file will display the following message to indicate the number of duplicate hashes contained in the file:
2013-08-09 09:46:00,674 [jobExecutor-2(HashFileWatch)] INFO com.netwitness.malware.core.scheduler.jobs.HashFileWatch - Processing - /var/lib/rsamalware/hashWatch/test.csv
2013-08-09 09:47:56,619 [jobExecutor-2(HashFileWatch)] INFO com.netwitness.malware.core.services.file.hash.HashServiceImpl - Skipped 21 Duplicate Hashes Already on File
2013-08-09 09:48:06,638 [jobExecutor-2(HashFileWatch)] INFO com.netwitness.malware.core.scheduler.jobs.HashFileWatch - Processed - /var/lib/rsamalware/hashWatch/test.csv
Below is an example of a hash list in the default file format.
A Security Analytics configuration file (/var/lib/rsamalware/spectrum/conf/hashFileWatchConfig.xml) specifies the format and options in the hash list import process. Below is a listing of the configuration file.
|<md5Col>0</md5Col>||The location of the md5 hash in each entry. The default value is position 0, or the first position.|
|<fileSizeCol>1</fileSizeCol>||The location of the hash size in each entry. The default value is position 1, or the second position. If the hash size is not included in the csv file, the value must be -1.|
|<isTrustedCol>2</isTrustedCol>||The location of the Trusted Column in each entry. The default value is position 2. If the Trusted parameter is not included in the csv file, the value must be -1.|
|<isTrust>false</isTrust>||The default assumption for Trusted in each entry is false.|
|<ignoreFirstLine>false</ignoreFirstLine>||The presence or absence of a header in the hash. The default value is false. If the hash has a header, the value must be set to true.|
|<frequencyInMinutes>1</frequencyInMinutes>||The interval between checks by Security Analytics in the watched directory. The default value is 1 minute.|
|<isGzipCompressed>false</isGzipCompressed>||The hash is compressed using Gzip. The default value is false. If the hash is Gzip compressed, the value must be set to true here.|
When the hash list has been imported, the system log has entries similar to this:
2013-04-11 03:22:00,597 [jobExecutor-9(HashFileWatch)] INFO com.netwitness.malware.core.scheduler.jobs.HashFileWatch - Processing - /var/lib/rsamalware/spectrum/hashWatch/simpleHash.csv
2013-04-11 03:22:00,600 [jobExecutor-9(HashFileWatch)] INFO com.netwitness.malware.core.scheduler.jobs.HashFileWatch - Processed - /var/lib/rsamalware/spectrum/hashWatch/simpleHash.csv
If there is a problem loading the file, the system log has entries similar to this:
2013-04-11 03:17:00,597 [jobExecutor-4(HashFileWatch)] INFO com.netwitness.malware.core.scheduler.jobs.HashFileWatch - Processing - /var/lib/rsamalware/spectrum/hashWatch/simpleHash.csv
... Verbose log
2013-04-11 03:17:00,632 [jobExecutor-4(HashFileWatch)] INFO com.netwitness.malware.core.scheduler.jobs.HashFileWatch - Error Processing - /var/lib/rsamalware/spectrum/hashWatch/simpleHash.csv
To import a hash list using the watched folder method:
- Copy the hash lists that you want to import into the /var/lib/rsamalware/spectrum/hashWatch directory.
Security Analytics Malware Analysis automatically watches this folder and processes files placed there.
Security Analytics Malware Analysis adds every hash found in the hash lists to the hash filter.
If there are processing errors, they are logged in /var/lib/rsamalware/spectrum/hashWatch/error
Processed files are cataloged in /var/lib/rsamalware/spectrum/hashWatch/processed
Processed files are not removed from the hashWatch directory.
- After importing hashes in bulk, the System Administrator can use a cronjob to clean up old processed files.