Introduction
This is number twelve in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.
One of those previous articles discussed how to get suspicious or malicious files to Security Response so that defenses can be built: Symantec Insider Tip: Successful Submissions! In December 2015, Symantec introduced a powerful new method of providing malware samples: Public Hash Submission.
It is now possible to submit a publicly available hash to Symantec Security Response. If the file is available from a public source that we have access to, we will process it as if it was a standard file submission. This is very useful for situations like:
"I have received a warning about a file with MD5 hash X- Does Symantec protect me against this threat?"
Virustotal.com is a great resource, but it is does not always reflect the current status of what vendors detect a file. (Also, it does not indicate if technologies like IPS, SONAR or other components protect against a threat- only AntiVirus. There are other limitations as well.)
For sake of illustration, let's suppose an alert has been posted or circulated regarding a file with a particular hash. A check on virustotal.com indicates that the several vendors detect it, comments indicate it is malicious and the file has a poor reputation....
Symantec is not listed on the page. We can now go to Symantec's submissions portal and choose to have that file checked out. Select "Hash Submission" from the drop down....
Fill out the form, being careful to supply the correct contact details and Support ID number. Paste the SHA256 or MD5 of the file in the input box, and provide a note if desired.
Click Submit! Shortly after submission, an email arrives with the Tracking Number for the file....
If Symantec is already aware of that file and has a known verdict about it, a Closing mail is dispatched quickly. If it is new to Symantec, the file will be examined and a Closing note sent. For example....
Frequently Asked Questions
Q. What hash formats can be used?
A. MD5 or SHA256 only, please.
Q. How large can the files be?
A. 100 MB is the maximum size.
Q. Can I provide the hash of .zips or .jars and get the system to download and examine everything inside?
A. Nope, just the hash of one single file. Containers such as ZIP or RAR are not supported.
Q. Is there another great new way to get files submitted?
A. Yes, by URL! See Submit to Security Response by URL
Q. Can I submit suspected False Positives by their hash?
A. This new feature is just for suspected malware, please!
Q: What public sources is Symantec using?
A: For the initial launch we are using VirusTotal.com
Conclusion
Many thanks for reading! Please do leave comments and feedback below.