Endpoint Protection

 View Only

Does Symantec Detect This: An Illustrated Guide to Public Hash Submission  

Dec 28, 2015 05:42 PM

Introduction

This is number twelve in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in December 2017.

 

One of those previous articles discussed how to get suspicious or malicious files to Security Response so that defenses can be built: Symantec Insider Tip: Successful Submissions!  In December 2015, Symantec introduced a powerful new method of providing malware samples: Public Hash Submission.

 

It is now possible to submit a publicly available hash to Symantec Security Response. If the file is available from a public source that we have access to, we will process it as if it was a standard file submission. This is very useful for situations like:

 

"I have received a warning about a file with MD5 hash X- Does Symantec protect me against this threat?" 

Virustotal.com is a great resource, but it is does not always reflect the current status of what vendors detect a file.  (Also, it does not indicate if technologies like IPS, SONAR or other components protect against a threat- only AntiVirus.  There are other limitations as well.)

For sake of illustration, let's suppose an alert has been posted or circulated regarding a file with a particular hash.  A check on virustotal.com indicates that the several vendors detect it, comments indicate it is malicious and the file has a poor reputation....

 

 

other_vendors_detect.png

 

Symantec is not listed on the page.  We can now go to Symantec's submissions portal and choose to have that file checked out.  Select "Hash Submission" from the drop down....

 

select_hash.png

Fill out the form, being careful to supply the correct contact details and Support ID number.  Paste the SHA256 or MD5 of the file in the input box, and provide a note if desired.

 

completed_public_hash_submission_form.png

Click Submit!   Shortly after submission, an email arrives with the Tracking Number for the file....

 

public_hash_tracking_mail.png

If Symantec is already aware of that file and has a known verdict about it, a Closing mail is dispatched quickly.  If it is new to Symantec, the file will be examined and a Closing note sent.  For example....

public_hash_closed.png

Frequently Asked Questions

Q. What hash formats can be used?

A. MD5 or SHA256 only, please.

Q. How large can the files be?

A. 100 MB is the maximum size.

Q. Can I provide the hash of .zips or .jars and get your system to download and examine the hundreds of files inside?

A. Nope, the same rules about containers and apply: no more than 9 files inside.

Q. I have a list of hundreds and hundreds of hashes that I would like to check!  Can I input that?

A. Nope.  Just one hash at a time.

Q. My Symantec Technical Support case owner would be happy to sit down for hours and hours, using this public hash submission service to submit my bulk list of hundreds of hashes, right?

A. Nope, see previous answer.  Bulk processing of submissions is not supported.  Use your own Support ID number to send them through one at a time.

Q. Is there another great new way to get files submitted?

A. Yes, by URL!  See Submit to Security Response by URL

Q. Can I submit suspected False Positives by their hash?

A. [Updated, August 2018] Yes! It is now possible to complete the usual False Positive Submission form specifying the hash of the file that was detected.  This can be very helpful in case SEP deleted the file that is believed to be a FP!



The same restrictions apply: that hash must be publicly available and the submissions must be made one at a time.  It is not within Symantec's scope to accept lists of hashes and determine if they are true positives or false positives.
 

Q: What public sources is Symantec using?

A: For the initial launch we are using VirusTotal.com

 

 

Conclusion

 

Many thanks for reading!  Please do leave comments and feedback below. 

Statistics
0 Favorited
34 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jan 01, 2016 08:33 AM

Wonderful. Keep up the good work, Mick!!!

Related Entries and Links

No Related Resource entered.