I don't love that answer either.īoth of those options require you to acquire the malware and run it.
Vt hash check download#
The second option was download the malware an detonate it in the sandbox (if you have access to that component of the platform). So what can you do? Well, the short answer I got was to take those files and run them in a Crowdstrike protected stand alone device that is NOT on your network and just check to see if Crowdstrike detects it.
But the bulk of detections are actually machine learning detection based on behavioral items, which are not covered by the VirusTotal validation. The gist is that Virustotal is very good when the Crowdstrike detection is based on a specific hash. I can't say I've gotten a great response. This is a question I've asked my support team on several occasions. What is recommended way to check if CS would already block a particular hash or not? Most of the times the search within CS console doesn't bring any intel on a hash, but in VT shows CS with 100% confidence.Īnd on this topic, what do you guys use to check multiple hashes in VT at once?Īny recommendations or tips are greatly appreciated! :)
We do this in order to avoid blocking a hash that CS already knows is malicious. When we get a list of IOCs to block, I usually look up on the top search bar in CS console and also use VirusTotal to check if CrowdStrike has a detection on that particular hash. We understand CrowdStrike is a behavior based product and will most likely stop a bad activity if it ever happens, but we do like the idea of blocking files by hash, not giving the chance to even run. Super stupid question: We monitor various websites, blogs and etc for new security findings in the wild and proactively block the IOCs (hashes, IPs, domains and etc).
0 kommentar(er)
