Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"Match using" methods for creating SHA-1 Hash and Non SHA-1 Hash based rules in Endpoint Application Control 2.0

    • Updated:
    • 22 May 2018
    • Product/Version:
    • Endpoint Application Control 2.0
    • Platform:
    • N/A N/A
Summary

When creating a rule in EAC, the "Match using" drop-down menu gives five different methods to match file location, digital certificate or the file’s SHA-1 Hash value.

Match using

Click image to enlarge.

It is important to know which methods use SHA-1 Hash value matching and the setting that helps lessen the impact to the network during policy deployment.

Details
Public

The table below shows the designated list of "Match using" methods in the Add or Edit Rule screen.

 Match usingDescription


SHA-1 Hash based
Known applications dynamic searchMatch is based on Certified Safe Software List (CSSL) pattern and Endpoint Inventories.
Certified Safe Software ListMatch is based on CSSL pattern only.
SHA-1 hash valuesMatch is based on file’s SHA-1 Hash value.

Non SHA-1 Hash based
File pathsMatch is based on File and Folder paths.
CertificatesMatch is based on File’s Digital Certificate.

The methods under “SHA-1 Hash based”, match the file’s SHA-1 hash values. If the rule matches application(s) with several files, it may have an impact to network usage during data transfer. On the other hand, a rule that uses “Non SHA-1 Hash” method is much lighter because there is no need for the agents to download SHA-1 Hash values when applying the rule.

For rules that use SHA-1 Hash value "Match using" method, you can lessen the impact to network usage by setting the Hash Value Deployment to Partial.

Hash Value Deployment

Click image to enlarge.

The difference between Partial and Full is briefly explained below:

  • Partial - Only hash values that match installed applications on target endpoint. In the table below, only msinfo32.exe and 7z.exe file hashes in the Rule Match will be deployed to the agent when applying the rule.
    Rule Match
    Filename (SHA-1 Hash Value)
    Agent Inventory and Installed Application
    Filename (SHA-1 Hash Value)
    SHA-1 Hash Value
    Match Result
    “Partial” Hash Deployment
    (Downloaded SHA-1 Hash Values)
    msinfo32.exe(8376ADAE56D7110BB033
    3EA8278486B735A0E33D)
    msinfo32.exe(8376ADAE56D7110BB033
    3EA8278486B735A0E33D)
    Matched(8376ADAE56D7110BB033
    3EA8278486B735A0E33D)
    7z.exe(4F0F25640E5376AA7FC3
    D0DF4C39082AE4D8A643)
    Renamed_7z.exe(4F0F25640E5376AA7FC3
    D0DF4C39082AE4D8A643)
    Matched(4F0F25640E5376AA7FC3
    D0DF4C39082AE4D8A643)
    iexplorer.exe(2AA859F008FAFBAEFB57
    8019ED0D65CD0933981C)
    iexplorer.exe(8C11BDF0FF609FD44C9A
    1533CDCCCC263B2BACE)
    DO NOT Match-
    Installer.exe(F5D1C8F23E9838181091
    9DD63CF32D385F9500B5)
    -NO Match-
     
    In both Allow and Block rule, the agent can only take action to matched files. This means that the Allow or Block rule is carried out on msinfo32.exe and 7z.exe when executed, but not on iexplorer.exe and Installer.exe.
  • Full - All hash values are deployed to the agent. In the table below, the “SHA-1 Hash Value Match Result” is ignored. Therefore, all file SHA-1 Hash values in the “Rule Match” will be deployed to the agent when applying the rule.
    Rule Match
    Filename (SHA-1 Hash Value)
    Agent Inventory and Installed Application
    Filename (SHA-1 Hash Value)
    SHA-1 Hash Value
    Match Result
    “Full” Hash Deployment
    (Downloaded SHA-1 Hash Values)
    msinfo32.exe(8376ADAE56D7110BB033
    3EA8278486B735A0E33D)
    msinfo32.exe(8376ADAE56D7110BB033
    3EA8278486B735A0E33D)
    Ignore(8376ADAE56D7110BB033
    3EA8278486B735A0E33D)
    7z.exe(4F0F25640E5376AA7FC3
    D0DF4C39082AE4D8A643)
    Renamed_7z.exe(4F0F25640E5376AA7FC3
    D0DF4C39082AE4D8A643)
    Ignore(4F0F25640E5376AA7FC3
    D0DF4C39082AE4D8A643)
    iexplorer.exe(2AA859F008FAFBAEFB57
    8019ED0D65CD0933981C)
    iexplorer.exe(8C11BDF0FF609FD44C9A
    1533CDCCCC263B2BACE)
    Ignore(2AA859F008FAFBAEFB57
    8019ED0D65CD0933981C)
    Installer.exe(F5D1C8F23E9838181091
    9DD63CF32D385F9500B5)
    -Ignore(F5D1C8F23E9838181091
    9DD63CF32D385F9500B5)

Setting the rule to full hash value deployment requires careful planning as it may impact the network during policy deployment.

For further information, refer to the KB article on the Average bandwidth consumption of AC Agents when connecting to the server

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1119943
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.