Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Hash Calculation of PE Images

uberAgent ESA calculates hashes of executables (e.g., .exe, .dll or .sys files). Whenever a process is started or a DLL is loaded, uberAgent calculates the hash of the file located on disk. uberAgent supports the hash variants MD5, SHA-1, SHA-256, and ImpHash both individually and simultaneously.

Configuration

The uberAgent ESA hash calculation feature is configured through the process startup setting EnableCalculateHash. In the default configuration, MD5 hash calculation is enabled.

Process and library (DLL) hashes are cached to reduce CPU load. Cache lifetime is managed automatically. The cache’s size can be configured (or disabled altogether) via the configuration setting HashesCacheMaxSize.

Metadata

Sourcetype

Process hashes are part of the sourcetypes uberAgent:Process:ProcessStartup and uberAgentESA:Process:ProcessStop. Please see the metrics documentation for a description of the fields.

Due to the huge amount of data being produced, hash values for image load events are not sent to the backend but can be used with the Threat Detection Engine.

Comments

Your email address will not be published. Required fields are marked *