Block a file using its SHA256 - Kaspersky security for windows server

[NNT12]

Hello,

I am using Kaspersky Security 11.0.1 for Windows Server (with an advanced license). How can I block a file using its SHA256 hash (I only have the hash, not the file on my machine)? I tried creating a new application rule, but the SHA256 field does not allow manual input.

Thanks in advance.

[Zied]

Hello,

Please check this article for further details about adding an Applications Launch Control rule : https://support.kaspersky.com/KSWS/11.0.1/en-US/178908.htm

[KarDip]

Hello @NNT12 

Try  this.

To block a file using its SHA-256 hash in Kaspersky Security 11.0.1 for Windows Server, follow the steps below. Since the interface does not allow direct manual input of the hash in the application rule, you can leverage Kaspersky’s File Integrity Monitor or Blacklist Policy. Here's a workaround:

Method 1: Using Kaspersky File Integrity Monitor

This method monitors specific files by their hash values and can block them automatically.

1. Access Kaspersky Security Center.
2. Go to Policies -> Select your Windows Server policy.
3. Navigate to Application Privilege Control -> Application rules.
4. Create a New Category (e.g., "Blocked Files by Hash").
5. Now, add a New Rule under this category and configure it:
   • Set Privilege Level to Prohibited.
   • Add File Masks/Files -> Click Add.
   • In the Files by Mask field, enter a dummy file name (since SHA-256 is your concern).
6. Deploy the Policy.

Workaround for Hash Input:
Although the field itself may not accept SHA-256 directly, you could use a scriptable way with the help of Kaspersky API/Command Line Tool (if enabled). This allows hash-based rules to be applied, such as:

 php

Copy code

kav.exe -blacklist <SHA-256>

You’ll need to explore if your license has support for API features or consult with Kaspersky support for more precise commands.

---

Method 2: Use Kaspersky’s Advanced Threat Protection Module

1. Open Kaspersky Security Center -> Navigate to Threat Response/Protection settings.
2. Go to Indicator of Compromise (IOC) management if available under your advanced license.
3. Create a New IOC Task and input the SHA-256 hash.
4. Define the action as Block/Quarantine on detection.
5. Apply and enforce the policy.

---

Method 3: Use Kaspersky Endpoint Agent Integration

If you have Kaspersky EDR/Endpoint Detection and Response integrated:

1. Open Kaspersky EDR -> Go to Threat Hunting / IOC Uploads.
2. Add the SHA-256 hash into the IOC feed as a malicious hash.
3. Set the action to Block or Quarantine upon detection.

---

Troubleshooting

• Ensure you have admin access and the necessary policy privileges.
• If the hash field isn’t available in your current configuration, contacting Kaspersky Support is advisable since more advanced policies may require custom modules or API commands.

Let me know if you need further clarification on any step!

Thank you

Edited October 19 by KarDip
edit sentence wordings