Align Malware device checksums with Threatgrid
Malware device is using MD5 checksums for white/blacklisting files, while Threatgrid is primarily using SHA-256. This makes the two "incompatible" and difficult to track files when looking at the two pages without spending valuable time drilling through.
I wanted to raise this here so that it gets more visibility, especially since RFEs can take up to 4 years to implement.
- Community Thread
- Forum Thread
- malware device
- RSA NetWitness
- RSA NetWitness Platform
The Malware appliance can produce sha-256 checksums too.
Looking at the CEF output I have
May 8 12:53:08 MALWARE-APP CEF:0|RSA|Security Analytics Malware|10.6.5.0-8296.5.0|Suspicious File|Detected suspicious file|2|static=6.0 nextgen=57.0 fname=194750093512-107-8192_1.exe fsize=10752 fileHash=05314415d81eb785e528a227db82e934 event.id=581176979 sessionid=194750093512 file.sha1.hash=c0669d153ab4be77571cc2aab6614db5e6dfffb7 file.sha256.hash=f35908bfd294ff364d8872429cf184fcaecdf1bb1e7ee788544fa10b3e1d6bd8 USER=Unknown identity
This is regarding the white/blacklisting section in the config page of Malware device though.
Even worse! The fact that the product does it, the third-party does it (threatgrid) but RSA's GUI doesn't, makes the efficiency of the SIEM questionable. Raising an RFE? Forget it!