MSI files include timestamps that typically are unique on each endpoint, and this causes the hash of the same MSI file to be different on every machine. This affects hash approvals and bans of MSI files in two ways.
- To provide identical hashes for functionally identical MSI files, the Carbon Black App Control Agent creates a "fuzzy" SHA-256 hash of each MSI file, without unique timestamps. This means that you can apply rules to all copies of an MSI if you use a SHA-256 hash created in Carbon Black App Control. However, if you import or copy a SHA-256 hash for an MSI from another source, rules that use the imported MSI are unlikely to be effective in Carbon Black App Control.
- For MD5 and SHA-1 hashes of MSI files, the Carbon Black App Control Agent hashes the whole file. This means that because of different timestamps, each copy of a functionally identical MSI file has a different hash, and file rules that use an MD5 or SHA-1 hash of an MSI file are unlikely to work as expected.
Because of these issues, the best practice for approving or banning an MSI file is to use the SHA-256 hash created in Carbon Black App Control. Other hash types, and hashes imported from elsewhere, should be avoided.