When reviewing file integrity changes with Change Tracker, you’ll have undoubtedly noticed the hash value within the events.
The below event, the result of Internet Explorer patching, updated ieproxy.dll and generating a new hash value - 9D4B1B9C267F7E3435A0A2556D9722741FA8AD91.
NNT has a range of training and managed service offerings to help you get the most of your solution.
Call 1-888-898-0674 or click here to request more information.
To understand where the hash value comes from, we have to look at the Change Tracker templates. All out-of-the-box templates provided by Change Tracker have the hashing function enabled and offer a selection of cryptographic functions ranging from MD5 to SHA512, so as soon as a host registered, the hashing begins!
As we’ve seen from the ieproxy.dll change, the hash value is used as a method to verify a file’s integrity. Change Tracker uses the content of a file and the cryptographic function selected in the template to calculate a unique hexadecimal number for each file. If the file remains the same, then so will the hash value but, should the file contents change the calculated hash value will differ. Remember that Change Tracker is always watching and as with ieproxy.dll, a change to a hash value results in an alert event.
Possibly the most important aspect of hashing is this, the hash value of a specific file, whether calculated by NNT or another hash creating application, will always be the same when the same cryptographic function is used. As Change Tracker users we can leverage this when faced with the inevitable file investigation by taking our hashes to online resources such as VirusTotal.
VirusTotal describes itself as:
‘ an information aggregator. The aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions.’
So lots of feeds, pulled into one location constantly analysing file for authenticity and crutially for us, creating hash values! We can therefore take our Change Tracker hashes, input them it into VirusTotal and review any data about associated matches.
The below is the VirusTotal output for the ieproxy.dll file. Thankfully the information reported by Change Tracker matches what VirusTotal has on record!
There are a number of alternatives to VirusTotal. One such alternative is the Kaspersky whitelist. Once again we can copy a files hash value from Change Tracker, paste into Kaspersky and breathe a sigh of relief when no risk detected is displayed.