Use this procedure to upload a CSV file with a list of hashes, certificates, or IT tools following the instructions in File Format. Enterprise EDR-only organizations only support the BLACK_LIST and SHA256 values

Prerequisites

Important: Enterprise EDR-only organizations only support hash banning. You cannot upload IT tools, Certs, items to the approval list.

Before uploading, ensure your upload file is in the correct file format:

TIP: Precise formatting instructions are provided on the Upload user interface.

  • The file is a plain ascii text file in "CSV" (comma separated values) format.
  • Values (such as the description field) that contain commas may be quoted using the double-quote character.
  • Each line in the file describes a single indicator - the format for each row is described below:

    The required fields must be in the following order: list type, indicator type, indicator value, description, application name

    • list type: black_list
    • indicator type: indicator SHA-256
    • indicator value: actual file hash (SHA-256 format)
    • description: text to describe this entry
    • application name: optional
Note: MD5 is not supported. The hash must be in SHA-256 format and requires six or more fields. If a field is empty, use the following format where empty fields are denoted by commas: Field1, Field2, Field4, Field6

Procedure

  1. On the left navigation pane, click Enforce>Reputation.
  2. Click Upload.
  3. Navigate to and select the file to upload, and then click Open.
  4. Verify the correct file is listed and then click Upload.

Results

Example: Upload file

/*** SHA256 Hash ***/
WHITE_LIST,SHA256,154899999adfa4f56ade1c04840a517e86dc5c938fac1ba6906c38339a281f82,This hash is known to be harmless,Safari
BLACK_LIST,SHA256,dcab890006eccd887c26a1bd2bcb344e2ce1a80c2e6fc8621ed04489dc1631c8,Unknown untrusted app
BLACK_LIST,SHA256,5348cfde0024b9557e57f099e1f3c3e20f389e7822dda376ad06009e43dd700a,Fake malware for testing,fake

/*** IT Tool ***/
WHITE_LIST,IT_TOOL,/user1/somefolder/sometool,The IT tool is known to be harmless,true
WHITE_LIST,IT_TOOL,/user1/somefolder/sometool,The IT tool is known to be harmless,false

/*** Certificate ***/
WHITE_LIST,CERT,Global,The certificate is known to be harmless,Root certificate authority
WHITE_LIST,CERT,Global,The certificate is known to be harmless,InCommon RSA Server CA