When a File is added to a Blacklist Policy in Symantec Advanced Threat Protection (ATP) or Symantec Endpoint Detection and Response (SEDR) appliance, it can be added with either its SHA256, MD5 file hash or both. The difference between these two options is explained below.
File hash SHA256 If Symantec Endpoint Protection (SEP) is configured to use the appliance as the Private Cloud, SEP immediately quarantines blacklisted SHA256 executable files when it detects them on the endpoints. SEDR will return a "Bad" reputation response for the file in question, thus convicting it. The Endpoint's Download Insight Protection Technology acts accordingly:
Note: If the SEP client has cached an Insight response in the IronDB, it will not perform another query until the cache expires.
File hash MD5 If SEDR is integrated with SEP, the MD5 hash value is added to the File fingerprint files list on Symantec Endpoint Protection Manager (SEPM) that corresponds with the name of the appliance. SEP's System Lockdown Feature will be automatically enabled in Blacklist Mode for all domains, and all groups within those domains, using the File fingerprint files list:
Note: The Blacklist Mode System Lockdown settings should not be changed to Whitelist Mode. While this action will not be prevented in SEPM, important applications on client computers will not be blocked.
If you add a new group to SEPM, the appliance File fingerprint files list is subsequently synchronized with that group as well. The File fingerprint files list does not affect other fingerprint files that you create in SEP.
SEPM Client Groups that already had System Lockdown enabled in Whitelist Mode prior to the ATP integration will also not be affected.
The SEP System Lockdown feature will only block executable files matching the MD5 hashes entered in to the Blacklist. SEP will not block normal file types like .jpg or .xml.