Jump to content

Recommended Posts

Posted

Hello,

I am using Kaspersky Security 11.0.1 for Windows Server (with an advanced license). How can I block a file using its SHA256 hash (I only have the hash, not the file on my machine)? I tried creating a new application rule, but the SHA256 field does not allow manual input.

Thanks in advance.

create a new rule -1.png

create application control rule.JPG

  • 1 month later...
Posted (edited)

Hello @NNT12 

Try  this.

To block a file using its SHA-256 hash in Kaspersky Security 11.0.1 for Windows Server, follow the steps below. Since the interface does not allow direct manual input of the hash in the application rule, you can leverage Kaspersky’s File Integrity Monitor or Blacklist Policy. Here's a workaround:

Method 1: Using Kaspersky File Integrity Monitor

This method monitors specific files by their hash values and can block them automatically.

  1. Access Kaspersky Security Center.
  2. Go to Policies -> Select your Windows Server policy.
  3. Navigate to Application Privilege Control -> Application rules.
  4. Create a New Category (e.g., "Blocked Files by Hash").
  5. Now, add a New Rule under this category and configure it:
    • Set Privilege Level to Prohibited.
    • Add File Masks/Files -> Click Add.
    • In the Files by Mask field, enter a dummy file name (since SHA-256 is your concern).
  6. Deploy the Policy.

Workaround for Hash Input:
Although the field itself may not accept SHA-256 directly, you could use a scriptable way with the help of Kaspersky API/Command Line Tool (if enabled). This allows hash-based rules to be applied, such as:

 php
Copy code
kav.exe -blacklist <SHA-256>

You’ll need to explore if your license has support for API features or consult with Kaspersky support for more precise commands.


Method 2: Use Kaspersky’s Advanced Threat Protection Module

  1. Open Kaspersky Security Center -> Navigate to Threat Response/Protection settings.
  2. Go to Indicator of Compromise (IOC) management if available under your advanced license.
  3. Create a New IOC Task and input the SHA-256 hash.
  4. Define the action as Block/Quarantine on detection.
  5. Apply and enforce the policy.

Method 3: Use Kaspersky Endpoint Agent Integration

If you have Kaspersky EDR/Endpoint Detection and Response integrated:

  1. Open Kaspersky EDR -> Go to Threat Hunting / IOC Uploads.
  2. Add the SHA-256 hash into the IOC feed as a malicious hash.
  3. Set the action to Block or Quarantine upon detection.

Troubleshooting

  • Ensure you have admin access and the necessary policy privileges.
  • If the hash field isn’t available in your current configuration, contacting Kaspersky Support is advisable since more advanced policies may require custom modules or API commands.

Let me know if you need further clarification on any step!

Thank you

Edited by KarDip
edit sentence wordings

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...