3 Replies Latest reply on Oct 17, 2012 9:09 AM by Kirsti-CA

    Hash Rules - Adobe signed virus files

    teckchick72 Level 1

       

      In order to create a hash rule, you must use the hash as determined by the Software Restriction Policy software. You can’t just import a hash that was calculated by another software component, even if the hash matches and uses the same hash algorithm. What is the suggested recommendation for including the 3 virus files that were signed with Adobe certs if manually entering the hash is not an option?

        • 1. Re: Hash Rules - Adobe signed virus files
          Kirsti-CA Adobe Employee

          We have confirmed that you do need the original source file in order to generate the hash value. Our engineering team has generated the hash value and extracted it from the MS rule.

           

          I've attached the file.  Please let us know if it helps!

          • 2. Re: Hash Rules - Adobe signed virus files
            teckchick72 Level 1

            Hello,

            I assume the registry key attached was meant to prohibit the registry

            changes made by the malware by creating a registry path rule for the

            software?

            Example path:%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

            NT\CurrentVersion\SystemRoot\XXX%

             

            There is no real use case for this problem, so no rush but I am curious

            how this is meant to work.

             

            I was hoping to know the actual path and the hash values. I had imported

            this into my personal machine hoping I could then search for the values in

            order to verify and test. ( pwdump, libeay32.dll & myGeeksmail.dll )

            I had no luck with that plan.

            I am looking for other solutions and will send updates if I have any luck.

             

            Thank you,

            Lori Wolcott |  Systems Engineer

             

            direct

            (716)805-2545

             

             

            mobile

            +17166019879

             

             

            e-mail

            LWolcott@moog.com

            • 3. Re: Hash Rules - Adobe signed virus files
              Kirsti-CA Adobe Employee

              Those are the corresponding registry settings for a software restriction policy hash rule. Although, it only provides signatures for two of the files.