How to Add multiple File Hash to block from KSC through KESB?

[Deadlock4400]

Dear Concern,

Greetings.

How can I add multiple file hash on Kaspersky Security Center 13.2 to block applications / Programs through Kaspersky Endpoint Security for Business (KESB)? 

Thanks in Advance 

@Deadlock4400

[DonKid]

Please, see this link.

[ElvinE5]

If you are a KESB Optimum license holder, then through the settings Endpoint Detection and Response in the policy KES (Web Console)

Спойлер

 

If you have a Select, Advanced, Total license, then you can add a category for the "Application Control" component and create, for example, a blocking rule

Спойлер

https://support.kaspersky.com/KSC/14.2/en-US/184079.htm

[Deadlock4400]

Hello @ElvinE5

Thanks for the reply. Yet not in the EDR Optimum. Seems like if EDR Optimum is there then also only one HASH can be added at a time. Hopefully near future, Kaspersky give the option to add many HASH at a time from a text file.

Now from file category  HASH cane be added at a time. Is that for KESB only? How can be those HASH added into KSWS Policy?

[Deadlock4400]

Hello @DonKid

thanks. but see the previous reply, please. 

[Vimaro]

7 hours ago, Deadlock4400 said:

Hello @ElvinE5

Thanks for the reply. Yet not in the EDR Optimum. Seems like if EDR Optimum is there then also only one HASH can be added at a time. Hopefully near future, Kaspersky give the option to add many HASH at a time from a text file.

Now from file category  HASH cane be added at a time. Is that for KESB only? How can be those HASH added into KSWS Policy?

Dear user,

Thanks for your post. IMHO: Is no needed to add manually hashes for detection of malware in application control, because if you have Kaspersky EDR Optimum, KSWS & KES have cloud based detection with Kaspersky Security Network and this is an infrastructure of online services providing access to Kaspersky's online knowledge base on the reputation of files, web resources and programs. In summary: malicious hashes should be detected automatically by our technologies. It is recommended that you use Application Control to add riskful tools that can be used by attackers against your computers (Nmap, Advanced IP Scanner, PsExec, MimiKatz, Kali, etc).

Maybe you receive that amount of hashes from your SOC? If yes, please reply this message to bring you some alternatives.
 

[ElvinE5]

As you correctly notice @Vimaro adding a large number of hash sums for blocking is not the most convenient and best option. if the SOC provided them to you, check them on the portal

https://opentip.kaspersky.com/?tab=lookup

most likely they are known.

if these are some specific executable files ((Nmap, Advanced IP Scanner, PsExec, MimiKatz, Kali, etc), you can also add them to block the corresponding applications by the "Application Control" components

KES

Спойлер

 

KSWS - You need a license at least - Advanced

Спойлер

 

[Deadlock4400]

Hello @ElvinE5

Thanks for your reply. 

I always access Kaspersky OpenTip. I quires many Hashes but many of them yet not sown by Kaspersky OpenTip. Even I tried on other Tip too, same result. I think there should be a option in KSC to add manually or set of Hashes. 

[Deadlock4400]

On 8/10/2023 at 11:43 PM, Vimaro said:

Dear user,

Thanks for your post. IMHO: Is no needed to add manually hashes for detection of malware in application control, because if you have Kaspersky EDR Optimum, KSWS & KES have cloud based detection with Kaspersky Security Network and this is an infrastructure of online services providing access to Kaspersky's online knowledge base on the reputation of files, web resources and programs. In summary: malicious hashes should be detected automatically by our technologies. It is recommended that you use Application Control to add riskful tools that can be used by attackers against your computers (Nmap, Advanced IP Scanner, PsExec, MimiKatz, Kali, etc).

Maybe you receive that amount of hashes from your SOC? If yes, please reply this message to bring you some alternatives.
 

Many Hashes are not recognized by Kaspersky OpenTip. I think there should be a option in KSC to add manually or set of Hashes. 

[ElvinE5]

if there are many undetectable hashes... use the "Application Control" tool (as described above) to block launch attempts.

the user cannot independently update the "bases" for the components so that they would detect them, this is the work of the Kaspersky Lab specialists.

Also, if you have the appropriate licenses, for example, EDRO, KATA/KEDR, you can create blocking rules for hash amounts that your specialists have scouted using these products.

Also, Sandbox products from the laboratory will help you study and automatically block new, unknown malware if they are marked as malware during the analysis process.

[Deadlock4400]

Hello @ElvinE5

It is very irritating to add many unknown hashes manually  use the "Application Control" tool (as described above) to block launch attempts. They are also not in the OpenTip. 

Can we add many unknown Hashes from a CSV file format in EDRO? If we have already many unknown Hashes then why we can not update Kaspersky Threat Intel also by adding Hash?

[ElvinE5]

I think in your case it would be more correct to contact LK directly and offer them your intelligence materials for inclusion in the response bases ...

 

18 минут назад, Deadlock4400 сказал:

Can we add many unknown Hashes from a CSV file format in EDRO

with leathering, adding from the file will not work

rather, adding OpenIoC files for search tasks is possible ... but not in the permanent blocking rules.