MD5 Hash Windows Defender Exclusions
L
Lashon'la Ledner'la
Some files that need to be excluded from Windows Defender can move from downloads folder, to documents, to shared drives, and be shared to SharePoint, etc. The point is file paths are not concrete, thus file exclusion becomes useless in some cases. Being able to do a file exclusion using MD5 or something similar would be helpful. Pretty Please
Canny AI
Merged in a post:
Manage Custom Indicators / Exclude by File Hash / Certificate
J
Joel DeTeves
Currently managing Custom Indicators is a PITA - when a vendor drops an update and it gets blocked by Exploit Guard, we always end up doing something hacky like adding a process exclusion with wildcards.
This is somewhat undesirable security-wise and it would be better if we had a way to exclude by File Hash / Certificate similar to the way the Microsoft Security Portal handles it.
Better still if it could be handled by Agent, Client or Account the way current exclusions are handled.
P
Phil Stricker
As Defender is capable on defining WDAC exclusions by hash, this should be possible for Huntress. We really need that feature
Dave Kleinatland
At this time, blocking by file hash or certificate fingerprint appears to be a feature limited to MS Defender for Endpoint. It's actually a two step process in MDE where you create an indicator based on a hash/fingerprint, then create a rule to audit, block, or allow that indicator. There's also an "EnableFileHashComputation" option that must be enabled when using MDE to collect these file hashes. In testing, enabling it without the MDE service running has no affect and it does not log file hashes as it does when MDE is in use. We'll certainly keep our eyes open for options to provide this if they become available.
A
Arthur'la Heller'la
From the cmdlets in powershell for defender i don't think this is a thing they can do. They've said on calls that they're in talks to add this feature but i don't know how they'd do it.