SHA-1 hash values can be blocked using Control Manager’s or Apex Central’s User-Defined Suspicious Object (UDSO). Other Trend Micro products sync the UDSO and take action on a file with matching SHA-1 hash value depending on the configuration.
Another way is with Apex One leveraging Application Control.
The following products sync SHA-1 User-Defined Suspicious Object (UDSO) from Control Manager/Apex Central:
- Interscan Web Security Virtual Appliance (IWSVA)
- Endpoint Application Control (EAC)
- Deep Discovery Inspector (DDI)
- Deep Discovery Email Inspector (DDEI)
- Apex One (requires Application Control)
The following products DO NOT sync SHA-1 User-Defined Suspicious Object (UDSO) from Control Manager/Apex Central:
- OfficeScan
- Deep Discovery Analyzer (DDAn)
- Deep Security (DS)
- Smart Protection Server (SPS)
- Interscan Messaging Security Virtual Appliance (IMSVA)
To block SHA-1 hash values, use any of the following:
To block SHA-1 hash values using Control Manager, do the following:
- Log on to Trend Micro Control Manager.
- Go to Administration > Suspicious Objects > User-Defined Suspicious Objects.
- Click Add.
- For the Type, select File SHA-1.
- Enter the SHA-1 hash value, and configure the scan action:
- Log
- Block
- Quarantine
- Click Add.
- Log on to Trend Micro Apex Central.
- Go to Threat Intel > Custom Intelligence.
-
Click Add.
-
Enter the SHA-1 hash value and configure the scan action.
- Log
- Block
Create an Application Control Criteria
- Log on to Trend Micro Apex Central.
- Go to Policies > Policy Resources > Application Control Criteria.
-
Click Add Criteria > Block.
- Add name.
- Change Match method to ‘Hash values’.
-
Select either SHA-1 or SHA-256.
Apply the created Application Control Criteria
- Go to Policies > Policy Management.
- Select your Policy.
- Under Application Control, Assign Rule (if with Active Directory integration) or click ‘All user accounts’.
-
Select the recently created Application Control Criteria.
- Click Ok then click Deploy.