3 Replies Latest reply on Jun 8, 2017 9:43 AM by randyb1

    How can I bulk-add signature hashes to a config?

    randyb1 Employee

      I’m asking for a customer that wants to create a bunch of signature hash rules.

        • 1. Re: How can I bulk-add signature hashes to a config?
          jamesr SupportEmployee

          Hey Randy,

           

          The only option directly in the product is the "Signature Wizard", which is only available when creating a group within the "Group Management" section of the console:

           

           

          Once you launch the wizard it allows you to either scan a folder (including its subfolders), or examine running processes.

           

          You'll then be prompted to select which files you want to generate a signature for, and once complete you can assign the group you've created as an allowed/denied item to one of your rule groups.

           

          Kind Regards,

          James.

          • 2. Re: How can I bulk-add signature hashes to a config?
            Fordo Apprentice

            Where c:\temp\input.txt is a tab-separated list of {path, hash}

             

            c:\program files\uTorrent\uTorrent.exe b4867872617f817756506c97d072aa80c43ac0f7

            c:\temp\bad.exe cf2ba2d6a2ab3378326e63aeec4b2fb72763196a

             

            The following script will read it and create rules, saving them in a temp aamp file and launching it at the end:

             

            # modify the dot version number depending on your version of AM

            $confHelper = new-object -comobject 'AM.ConfigurationHelper.1'

            $conf = new-object -comobject 'AM.Configuration.4'

             

            $confXml = $confHelper.DefaultConfiguration

            $conf.ParseXML($confXml)

             

            Get-Content -Path c:\temp\input.txt | % {

             

              $filePath = ($_ -split "`t")[0]

              $hashValue = ($_ -split "`t")[1]

             

              $as = $conf.ManufactureInstanceFromClassName('AM.SignatureFile')

              $as.SHA1Hash = $hashValue

              $as.CommandLine = $as.SHA1Hash

              $as.Path = $filePath

             

              $conf.GroupRules.Item('Everyone').ProhibitedSignatures.Add($as.XML())

            }

             

            $tempAampFile = [System.IO.Path]::GetTempFileName() + ".aamp"

            $confHelper.SaveLocalConfiguration($tempAampFile, $conf.XML())

            &$tempAampFile

             

             

            If you instead wanted AM to generate the hashes then hack the script a bit and use $as.SHA1Hash = $confHelper.ReadSha1HashFromFile($filePath)

             

            The result:

            hashes.png

             

            • 3. Re: How can I bulk-add signature hashes to a config?
              randyb1 Employee

              Thanks James!  I actually posted the question here so Greg could post his reply.  Wanted it here for public reference.  But I didn't even realize there was a native function to do this.