Finding a file whose sha1 is not equal to a list of hashes

(imported topic written by okole91)

I need to write some relevance that will compare the hash of a known file against a list of hashes and return true if the file’s hash does not match any hash in the list.

filename = c:\windows\system32\ping.exe

sha = “1234567”

known good hashes = “3453456” “5345635” “345252452”

in the example above, i need relevance that will return as “true” because the file’s hash does not match the hash in the list

I’ve tried the below which I assumed would return false but it still returned true

sha1 of file “c:\windows\system32\ping.exe” != “3453456” or sha1 of file “c:\windows\system32\ping.exe” != “5345635” or sha1 of file “c:\windows\system32\ping.exe” != “1234567”

What am I doing wrong?

(imported comment written by NoahSalzman)

With a bunch of OR statements you will get TRUE if any of the statements are true.

{ sha1 of file “c:\windows\system32\ping.exe” != “3453456” } is a TRUE statement. Any time that statement is joined via OR with other statements you will always get a TRUE result.

If you use ANDs then if any one of those “not equals” statements is FALSE then the entire result will be FALSE.

Also, another way to approach this is:

exists (“123”, “456”, “789”) whose (it = (sha1 of file “c:\foo.exe”))

(imported comment written by okole91)

nope…it errored out when I added more that 1 exists qualifier:

Q: exists (“sfgsdfg”,“asdfasdf”) whose (it = (sha1 of file “c:\windows\system32\ping.exe”))

E: The operator “equal” is not defined.

seems like we’re close though. maybe there’s some syntax piece that’s missing?

(imported comment written by BenKus)

You will want to use semi-colons instead of commas… but this way is probably more efficient:

q: (it = “1234” OR it = “1235”) of sha1 of file "c:\windows\system32\ping.exe"
A: False

Ben

(imported comment written by okole91)

no errors that time, but i didn’t get the results I needed. I need the relevance to only be true if the file’s sha1 doesn’t match any one of the known good hashes. See below:

Q: (it != “005AAD8912A62127A2F416AA9FD089000D24851A” OR it != “03C9CD0D8E90DD8754F8488A085359C818A28A90” OR it != “0DB4AB7E18991BF64139E7078249679098C85F2C” OR it != “17257DF49E03DAF2BA1FA286FBE2C14802ACCD2A” OR it != “1B10F5F97E2B7159C872B3576D72B4CF2AD2FFB5” OR it != “236F25115C31DBFEB11D9BF12B620266F46BA041” OR it != “2667D90C7B0CBCC212B8C9143C28C7AD5105BE49” OR it != “2803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC” OR it != “2915AA45C3FAF60137402270F0C915C0F5CA2CD1” OR it != “2C73542A1598AEA03F7927ECF8F7156106037D67” OR it != “2D570F7E8CD9DFED179996AC40F7F7EF7AC99E93” OR it != “2EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D” OR it != “309FF9840F53DFF406EC580063A9975224F626DE” OR it !

= “30AE3FF04C8D486A5BE77ACB0939B06AF626F17D” OR it !

= “328BB23CEF7816035E32B3BF28A9F9606B9FF255” OR it !

= “34F96E4305B6E28B966F15E9845748E44AF35762” OR it !

= “38A8E15E68D64670016E62D6D2150F812CD31298” OR it != “44A4B285C1B27FEB36E0E0C3D0081A63241AE6AF” OR it != “487AA6CDB994E1855B33C1F3B0BE522C36540E56” OR it != “540F94FA630BB64529F656C6EAA4F48A3F87756D” OR it !

= “5690D97E9F9E913431AA9453D0185F2665A713CC” OR it != “583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D” OR it != “58BC35673C8B1F751CD0584A6914740B2F3DCAAE” OR it != “5A658A36EF43147CB3F1DBC4276EA82A239BF8FA” OR it != “5FBA738B9698AA61645CFFE3AD95192C4BACDC49” OR it != “61CBFAB7CB5AB27EED9193F225B77E2EF6BA7321” OR it != “62ABAB09DFD971A90C2030BE44778206991CE2D6” OR it != “6441922698A8CD80A2FC0AE15EFDAF0A0208F50B” OR it != “694BDB08101AD5C18BB5B3425EE01073320B8D8E” OR it != “6BE7E7A20D2AB835C78EB8F3759C304888B86BD4” OR it != “6DB4B4F065610CAE100FBDB850AFC9F16C76AB65” OR it != “6EAEBB4ADCB8B240571D447A1EE9B665F6C181D2” OR it != “752211F65B693C721E27785FCC6C74E9B71997E9” OR it != “7E98241E1B21361CC02DC88EB57C9BB9CF1F4239” OR it != “82B79C07941775B6072D97D5D033E45E8D3C6FDF” OR it != “87230AD4C2646376B819DDA4963DD2C49BC50D7A” OR it != “8FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE” OR it != “91BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD” OR it != “9625698340941EB6D519A219396296E45FDCF7DB” OR it != “97586996280F2A61AE5193DB827C44300BF27FCD” OR it != “9811B4A14E3196AAC93DF7CE2F50C84030AA7D13” OR it != “9BA779EE746DCC5A44B30BDA6436E07997236E52” OR it != “9E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC” OR it != “9F7658F361D9F1398DD90707EDE01F0032991946” OR it != “A09564B76C13C8470A44509A17B4B6023295A361” OR it !

= “A310EF2F35A8670F6C4B7872073F94764C23FA08” OR it !

= “A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A” OR it != “ABB417B6F06F8C18F92DCD62D9BC9F2284F468E9” OR it != “B194BB244FF0FD101DCDA79CD8FFC8D33C392D13” OR it != “C6CD44574CC0F5BAC24DE85B0933A132B3A0D684” OR it != “C97875A6819A3F675ABE42C8BB870E191102C94C” OR it != “C98D1FF5D9E1D8366CF130899BC210EBE54E77F8” OR it != “CA58E7CA1EE50FB8EB7428064DFE84381EEDB453” OR it != “CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70” OR it != “CF2DA46516BE3FC6312C2F05DF33C6A05F8562D7” OR it != “D6ED920D3D0ACEB52930A753256A21D43AE1899E” OR it != “D7E22080BF67CA6AE29BB12A51E865C22DDA48F7” OR it != “DA27CBA986161938C5086BB5C94FBBAB523B1F37” OR it != “DF025689B1E2E3C813969828AF26573BA4E2F23A” OR it != “E42C0D9D4669D41F8AB45F31F12B405489F39AFD” OR it != “E5EDDC4EF26EED5A64E4B4C509F01E224238D3C6” OR it != “E634C31114AE87D026812748E791402D69C6D996” OR it != “E667F70144423A645C6BC67CE01424F720594320” OR it != “E79A39606A2067120AEF63431F2C073B4B9298DC” OR it != “E9B9F0A53ED36C9464E4C4C154878742F1CA6EC6” OR it != “EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B” OR it != “EB60EEFA1AD57FA27E661032329AD9AF5FD243DA” OR it != “ED9E18A7E5EE245B77CFB4FC560013849072C943” OR it != “EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB2” OR it != “F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A” OR it != “FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA” OR it != “FAEFB399B9FFEBA156D31E2A0DE4195793300343” OR it != “FBDD32ED13D27E4102621E1067FDF3634F33B2C3” OR it !

= “FBFFF74687F608887E277068ED0390BD04CCF506” OR it != “FEDDBA02158D0425E5895439663C0481CA3911E6”) of sha1 of file “c:\windows\system32\sqlsodbc.chm”

A: True

Because the sha1 of the file I am using the debugger on is “87230AD4C2646376B819DDA4963DD2C49BC50D7A”, I would have expected the answer to be false.

quick question…is it case sensitive?

(imported comment written by okole91)

it is case sensitive…I changed the one good hash to lower case letters and it returned false which is what i expected.

how do i tell it not to be case sensitive?

(imported comment written by okole91)

I got it:

Q: (it != “005AAD8912A62127A2F416AA9FD089000D24851A” as lowercase AND it != “03C9CD0D8E90DD8754F8488A085359C818A28A90” as lowercase AND it != “0DB4AB7E18991BF64139E7078249679098C85F2C” as lowercase AND it != “17257DF49E03DAF2BA1FA286FBE2C14802ACCD2A” as lowercase AND it != “1B10F5F97E2B7159C872B3576D72B4CF2AD2FFB5” as lowercase AND it != “236F25115C31DBFEB11D9BF12B620266F46BA041” as lowercase AND it != “2667D90C7B0CBCC212B8C9143C28C7AD5105BE49” as lowercase AND it != “2803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC” as lowercase AND it != “2915AA45C3FAF60137402270F0C915C0F5CA2CD1” as lowercase AND it != “2C73542A1598AEA03F7927ECF8F7156106037D67” as lowercase AND it != “2D570F7E8CD9DFED179996AC40F7F7EF7AC99E93” as lowercase AND it != “2EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D” as lowercase AND it != “309FF9840F53DFF406EC580063A9975224F626DE” as lowercase AND it != “30AE3FF04C8D486A5BE77ACB0939B06AF626F17D” as lowercase AND it != “328BB23CEF7816035E32B3BF28A9F9606B9FF255” as lowercase AND it != “34F96E4305B6E28B966F15E9845748E44AF35762” as lowercase AND it != “38A8E15E68D64670016E62D6D2150F812CD31298” as lowercase AND it != “44A4B285C1B27FEB36E0E0C3D0081A63241AE6AF” as lowercase AND it != “487AA6CDB994E1855B33C1F3B0BE522C36540E56” as lowercase AND it != “540F94FA630BB64529F656C6EAA4F48A3F87756D” as lowercase AND it != “5690D97E9F9E913431AA9453D0185F2665A713CC” as lowercase AND it != “583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D” as lowercase AND it != “58BC35673C8B1F751CD0584A6914740B2F3DCAAE” as lowercase AND it != “5A658A36EF43147CB3F1DBC4276EA82A239BF8FA” as lowercase AND it != “5FBA738B9698AA61645CFFE3AD95192C4BACDC49” as lowercase AND it != “61CBFAB7CB5AB27EED9193F225B77E2EF6BA7321” as lowercase AND it != “62ABAB09DFD971A90C2030BE44778206991CE2D6” as lowercase AND it != “6441922698A8CD80A2FC0AE15EFDAF0A0208F50B” as lowercase AND it != “694BDB08101AD5C18BB5B3425EE01073320B8D8E” as lowercase AND it != “6BE7E7A20D2AB835C78EB8F3759C304888B86BD4” as lowercase AND it != “6DB4B4F065610CAE100FBDB850AFC9F16C76AB65” as lowercase AND it != “6EAEBB4ADCB8B240571D447A1EE9B665F6C181D2” as lowercase AND it != “752211F65B693C721E27785FCC6C74E9B71997E9” as lowercase AND it != “7E98241E1B21361CC02DC88EB57C9BB9CF1F4239” as lowercase AND it != “82B79C07941775B6072D97D5D033E45E8D3C6FDF” as lowercase AND it != “87230AD4C2646376B819DDA4963DD2C49BC50D7A” as lowercase AND it != “8FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE” as lowercase AND it != “91BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD” as lowercase AND it != “9625698340941EB6D519A219396296E45FDCF7DB” as lowercase AND it != “97586996280F2A61AE5193DB827C44300BF27FCD” as lowercase AND it != “9811B4A14E3196AAC93DF7CE2F50C84030AA7D13” as lowercase AND it != “9BA779EE746DCC5A44B30BDA6436E07997236E52” as lowercase AND it != “9E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC” as lowercase AND it != “9F7658F361D9F1398DD90707EDE01F0032991946” as lowercase AND it != “A09564B76C13C8470A44509A17B4B6023295A361” as lowercase AND it != “A310EF2F35A8670F6C4B7872073F94764C23FA08” as lowercase AND it != “A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A” as lowercase AND it != “ABB417B6F06F8C18F92DCD62D9BC9F2284F468E9” as lowercase AND it != “B194BB244FF0FD101DCDA79CD8FFC8D33C392D13” as lowercase AND it != “C6CD44574CC0F5BAC24DE85B0933A132B3A0D684” as lowercase AND it != “C97875A6819A3F675ABE42C8BB870E191102C94C” as lowercase AND it != “C98D1FF5D9E1D8366CF130899BC210EBE54E77F8” as lowercase AND it != “CA58E7CA1EE50FB8EB7428064DFE84381EEDB453” as lowercase AND it != “CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70” as lowercase AND it != “CF2DA46516BE3FC6312C2F05DF33C6A05F8562D7” as lowercase AND it != “D6ED920D3D0ACEB52930A753256A21D43AE1899E” as lowercase AND it != “D7E22080BF67CA6AE29BB12A51E865C22DDA48F7” as lowercase AND it != “DA27CBA986161938C5086BB5C94FBBAB523B1F37” as lowercase AND it != “DF025689B1E2E3C813969828AF26573BA4E2F23A” as lowercase AND it != “E42C0D9D4669D41F8AB45F31F12B405489F39AFD” as lowercase AND it != “E5EDDC4EF26EED5A64E4B4C509F01E224238D3C6” as lowercase AND it != “E634C31114AE87D026812748E791402D69C6D996” as lowercase AND it != “E667F70144423A645C6BC67CE01424F720594320” as lowercase AND it != “E79A39606A2067120AEF63431F2C073B4B9298DC” as lowercase AND it != “E9B9F0A53ED36C9464E4C4C154878742F1CA6EC6” as lowercase AND it != “EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B” as lowercase AND it != “EB60EEFA1AD57FA27E661032329AD9AF5FD243DA” as lowercase AND it != “ED9E18A7E5EE245B77CFB4FC560013849072C943” as lowercase AND it != “EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB2” as lowercase AND it != “F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A” as lowercase AND it != “FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA” as lowercase AND it != “FAEFB399B9FFEBA156D31E2A0DE4195793300343” as lowercase AND it != “FBDD32ED13D27E4102621E1067FDF3634F33B2C3” as lowercase AND it != “FBFFF74687F608887E277068ED0390BD04CCF506” as lowercase AND it != “FEDDBA02158D0425E5895439663C0481CA3911E6”) of sha1 of file “c:\windows\system32\sqlsodbc.chm”

A: False

(imported comment written by jessewk)

Hi Okole,

Please be careful with the expression above. Sha1 calculations are relatively expensive so we try not to put sha1 checks in Fixlet relevance. If you absolutely have to check the sha1, it’s a good idea to create a property with the check and set the evaluation interval on the property to something like once every couple of hours.

Then if you need to remediate machines that don’t have the correct sha1, you can use the property to target an action.

Jesse

(imported comment written by ktm_200091)

THANK YOU!!! - the company published a link to a service which was comprimised by Gumblar and the Analysis above saved me a ton of effort…

BRAVO!!!

I also used this to document proof of no infections

sha1 of file “c:\windows\system32\sqlsodbc.chm”

And

size of file “c:\windows\system32\sqlsodbc.chm”

Is There a way to combine the 2 statements and bring back both pieces of info in one analysis?

Also we have some older PCs which were upgraded from Win 2000, so the windows directory is c:\winnt, Is there a way to put in DOS variables such as %WINDIR% so the check works for both directories?

(imported comment written by NoahSalzman)

Regarding the WINDIR question, you can use “pathname of windows folder” (a search on “WINDIR” in the Forums brings up this thread http://forum.bigfix.com/viewtopic.php?id=1938).

sha1 of file (pathname of windows folder & “\system32\sqlsodbc.chm”)