question

rvdli avatar image
0 Votes"
rvdli asked FanFan-MSFT commented

SRP - Block hash without providing the file

Hi,

I want to create some rules on the Software Restriction Policies of my domain.

But when I choose to create a new rule based on Hash, it still asks me to provide a file. I have the hashes of the malicious file that I want to deny, but for obvious reasons don't have the file itself.

Is there any way to create a has rule without providing the file itself? It used to work on previous versions of Windows Server, now I'm on 2019 and it doesn't show anymore.

windows-active-directorywindows-server-2019windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

As you mentioned above, it is required to provide a file if you use the Hash Rule on the Software Restriction Policies .
Here is a test in my environment:
I new a path role on the n the Software Restriction Policies and put the name only into the path as following:
38667-11102.jpg
After i updated the policy with command :gpupdate /force , it worked.
38668-11103.jpg

If you know the name and the file type of the malicious file, it may worth a try.
Best Regards,




11102.jpg (61.9 KiB)
11103.jpg (40.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

rvdli avatar image
0 Votes"
rvdli answered FanFan-MSFT commented

Hi,

So if I want to block a malware, I need to download the malware (which is kinda risky) so Windows can generate the hash by itself, even when I have the hash provided by other users?

Until 2008 I could manually insert the hash. So is definitely not other way to do it?


Thanks for your help.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Since i didn't have a 2008 server, i can't test it.
But in my 2016 and 2019 server, if we can't provide a file , we can't get the hash.
I will do more research, if there are any updates, i will update here!
Best Regards,

0 Votes 0 ·