Documentation

Contents
Contents
Contents
Contents

Hash Calculation of PE Images

uberAgent ESA calculates hashes of executables (e.g., .exe, .dll or .sys files). Whenever a process is started or a DLL is loaded, uberAgent calculates the hash of the file located on disk. uberAgent supports the hash variants MD5, SHA-1, SHA-256, and ImpHash.

Configuration

uberAgent ESA hash calculation feature is enabled or disabled through the process startup setting EnableCalculateHash. In the default configuration, hash calculation is disabled.

Metadata

Sourcetype

Hash values along with the hash type are part of the sourcetype uberAgent:Process:ProcessStartup. Please see the metrics documentation for a description of the fields.

Due to the huge amount of data being produced, hash values for images load events are not sent to the backend but can be used with the Activity Monitoring Engine.

Leave a Reply

Your email address will not be published. Required fields are marked *