Override MD5s of processes

In Xprotect, an MD5 override is a way to supersede the Trust values assigned by the Xprotect Threat Intelligence engine to the MD5 hashes of the applications and processes. Optionally, you can also set the scopes of the MD5 overrides to specific files or file paths. 

MD5 overrides

MD5 overrides bypass (temporarily or permanently) the current AutoTrust settings and the Monitor or Block controls for these settings and use the new AutoTrust settings and controls based on the new Trust value after the override. MD5 override is an instance-level change and supersedes the AutoTrust settings and controls of all the policies in the instance. So, MD5 overrides are in effect on all the hosts managed from the instance. 

For example, for a policy with an AutoTrust setting to block applications or processes whose risk is Unknown and monitor applications or processes that are Low Risk, overriding an Unknown MD5 to Low Risk allows the relevant applications and processes to run on the hosts.

Some of the cases when MD5 overrides are useful are to:

  • Run proprietary applications and the relevant processes that have not yet been analyzed (Trust value = Unknown) by the Threat Intelligence engine. This is particularly applicable when you have set Unknown applications to be blocked on the hosts. 

    For example, override an application or process from Trust value = Unknown to Trust value = Good).

  • Allow specific applications and relevant processes with High Risk, Medium Risk, and/or Low Risk values for experimental or analysis purposes in a contained environment. 

    For example, malawareA.exe is a Medium Risk process as per the Threat Intelligence engine, but you want to run it on some hosts to study the process behavior.

  • Block or monitor specific applications and processes that pose no risk (Trust value = Good) as per the Threat Intelligence engine on hosts. 

    For example, with AutoTrust settings set to monitor Low Risk applications in policies, override MD5s to Trust value = Low Risk and monitor such applications' usage with alerts.

MD5 Overrides page

You can override MD5s based on a manual or predefined list ( Settings > MD5 Overrides page) or from the findings in the Trust alerts generated on the hosts (Alerts > Summary page).

All MD5 overrides are listed on the Settings > MD5 Overrides page.

Add MD5 Overrides

Add a predefined list of MD5 overrides along with their scopes and other details from the Settings > MD5 Overrides page.

  1. Go to Settings > MD5 Overrides.

  2. Click New MD5 Override.

  3. Do the following in the Add MD5 Override fly panel:

    1. Paste the MD5 in the MD5 text box.

    2. From the Trust drop-down list, select the preferred Trust value - Good, Unknown, Low Risk, Medium Risk, or High Risk.

    3. (Optional) Enter the scope of the file name and file path in the File Name and File Path text boxes.

    4. (Optional) In the Reference Link and Description text boxes, enter the details of why you want to override the MD5.

  4. Click Save.

Override MD5s from alerts

Add MD5 overrides for MD5s seen with Trust alerts from the Alerts > Summary page. Although you can add overrides for multiple MD5s at one go, you must go to the Settings > MD5 Overrides page to set custom scopes for the overrides.

  1. Go to Alerts > Summary.

  2. Filter the alerts by Alert Category = Trust.

  3. Select the alerts rows whose MD5s must be overridden and click MD5 Override (in the floating panel at the top)

  4. Do the following in the MD5 Overrides fly panel.

    1. (Optional) To see the alerts related to an MD5 before the override, click the 3-dot menu and click View Related Alerts.

    2. (Optional) To delete an MD5 from the selected list of MD5s, click the 3-dot menu and click Delete From List.

    3. From the Trust column of an MD5, select the preferred Trust value - Good, Unknown, Low Risk, Medium Risk, or High Risk.

    4. (Optional) Click the down arrow of an MD5 and enter the details of why you want to override the MD5 in the Reference Link and Description text boxes.

    5. (Optional) Do steps a to d for all selected MD5s.

  5. Click Save.

Edit Overrides

Edit the overrides when you want to set custom scopes for overrides added from the alerts or change the Trust values for the overrides.

  1. Click the 3-dot menu of an MD5 override and click Edit.

  2. Add or edit the current entries for the MD5 and click Save.

Delete Overrides

Delete overrides that were temporarily added or when you want to revert to using the real-time Trust values of the applications and/or the associated processes.

  • Select one or more overrides and click Delete (in the floating panel on the top).

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.