cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Alhizabi
Level 8
Report Inappropriate Content
Message 1 of 7
‎09-05-2022 05:17 AM

Unable to set file reputation using API

Jump to solution

Hello my friends,

 

I have been trying to test the McAfee ePO API to do some automations, i am trying to set file reputation using tie.setReputations call. i am currently testing using the browser.

This is my example json string:

[{"sha256":"Njg4Nzg3RDhGRjE0NEM1MDJDN0Y1Q0ZGQUFGRTJDQzU4OEQ4NjA3OUY5REU4ODMwNEMyNkIwQ0I5OUNFOTFDNg==","reputation":"50"}]

 

and then i url encode the json value, this is the request (i removed some sensitive values):

https://myepourl:8443/remote/tie.setReputations?fileReps=%5B%7B%22sha256%22%3A%22Njg4Nzg3RDhGRjE0NEM...

 

i get the following error message: 

Error 0 :
Failed to set Reputations: Error during request handling. Error code: 0

 

i checked the ePO localhost_access_log file, it shows the following line:

[#######] *.*.*.* GET /remote/tie.setReputations?fileReps=%5B%7B%22sha256%22%3A%22Njg4Nzg3RDhGRjE0NEM1MDJDN0Y1Q0ZGQUFGRTJDQzU4OEQ4NjA3OUY5REU4ODMwNEMyNkIwQ0I5OUNFOTFDNg%3D%3D%22%2C%22reputation%22%3A%2250%22%7D%5D HTTP/1.1 84 200 [https-jsse-nio-8443-exec-95] [61AC54CF8E121BEB93C24475979E9521] 344ms

 

I am not sure what the issue is, appreciate your kind suggestions.

 

Thanks.

 

 

 

 

 

 

 

1 person had this problem.
Reply
1 Solution

Accepted Solutions
jacek
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7
‎09-26-2022 10:18 PM

Re: Unable to set file reputation using API

Jump to solution

I know that you asked 3 weeks ago, but posting this also for others.

 

SHA256 hash in yours example was: 688787D8FF144C502C7F5CFFAAFE2CC588D86079F9DE88304C26B0CB99CE91C6

You should firstly split this string to hex (add space every 2 chars), then decode it from hex, then encode to base64.

I have made a CyberChef script to simplify testing:

 

Encoding hash to its hex and base64 encoded:

 

gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'(.%7B2%7D)'%7D,'$1%20',true,false,true,false)From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')&input=Njg4Nzg3RDhGRjE0NEM1MDJDN0Y1Q0ZGQUFGRTJDQzU4OEQ4NjA3OUY5REU4ODMwNEMyNkIwQ0I5OUNFOTFDNg

 

or if someone would like to load recipe on CyberCher themself (on CyberChef page click on "Load recipe" icon in the "Recipe" window):

 

Find_/_Replace({'option':'Regex','string':'(.{2})'},'$1 ',true,false,true,false)
From_Hex('Space')
To_Base64('A-Za-z0-9+/=')

 

 

To decode to its hash value: decode base64, then convert to hex value and remove spaces:

 

gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)To_Hex('Space',0)Find_/_Replace(%7B'option':'Simple%20string','string':'%20'%7D,'',true,false,true,false)&input=YUllSDJQOFVURkFzZjF6L3F2NHN4WWpZWUhuNTNvZ3dUQ2F3eTVuT2tjWT0

 

or if someone would like to load recipe on CyberCher themself:

 

From_Base64('A-Za-z0-9+/=',true,false)
To_Hex('Space',0)
Find_/_Replace({'option':'Simple string','string':' '},'',true,false,true,false)

 

 

View solution in original post

Reply
6 Replies
aguevara
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎09-06-2022 12:00 AM

Re: Unable to set file reputation using API

Jump to solution

I don't see what's wrong either, thats what I normally do, for instance this is what it looks like for a test file (yours is different as i understood you removed sensitive data)

/remote/tie.setReputations?fileReps=%5B%7B%22name%22%3A%22test.exe%22%2C%0A%20%20%22sha1%22%3A%22udrarummyjtffybxaflkxzjhpao%3D%22%2C%0A%20%20%22md5%22%3A%22gixbyabniwsaanqznfufxe%3D%3D%22%2C%0A%20%20%22sha256%22%3A%22icidutgqksorrzjvqsepfmkyiambtbufcckwarjmqth%3D%3D%22%2C%0A%20%20%22reputation%22%3A%2299%22%7D%5D

if you have tried restarting the ePO services and having a more recent extension please open a case with support so we can take a look

Regards

Alejandro

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

0 Kudos
Reply
Alhizabi
Level 8
Report Inappropriate Content
Message 3 of 7
‎09-06-2022 01:11 AM

Re: Unable to set file reputation using API

Jump to solution

Thank you Alejandro for your answer,

 

Thanks to your example, seems that my base64 is not encoded correctly, maybe i am not using the right tool or correct character set.

 

If i may ask what tool & character set did you use to convert the hashes in your example above?

 

Thanks in advance.

 

0 Kudos
Reply
aguevara
Employee
Employee
Report Inappropriate Content
Message 4 of 7
‎09-06-2022 02:26 AM

Re: Unable to set file reputation using API

Jump to solution

I normally use:


onlinejsontools.com/url-encode-json

Regards

Alejandro

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

0 Kudos
Reply
Alhizabi
Level 8
Report Inappropriate Content
Message 5 of 7
‎09-06-2022 04:02 AM

Re: Unable to set file reputation using API

Jump to solution

Hi Alejandro,

Can you please tell me how you converted the hashes to base64, because i am not able to decode it with my decoder it gives me random strings, however it seems that your way is working with API, maybe i am missing something...

 

Thanks

0 Kudos
Reply
jacek
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7
‎09-26-2022 10:18 PM

Re: Unable to set file reputation using API

Jump to solution

I know that you asked 3 weeks ago, but posting this also for others.

 

SHA256 hash in yours example was: 688787D8FF144C502C7F5CFFAAFE2CC588D86079F9DE88304C26B0CB99CE91C6

You should firstly split this string to hex (add space every 2 chars), then decode it from hex, then encode to base64.

I have made a CyberChef script to simplify testing:

 

Encoding hash to its hex and base64 encoded:

 

gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'(.%7B2%7D)'%7D,'$1%20',true,false,true,false)From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')&input=Njg4Nzg3RDhGRjE0NEM1MDJDN0Y1Q0ZGQUFGRTJDQzU4OEQ4NjA3OUY5REU4ODMwNEMyNkIwQ0I5OUNFOTFDNg

 

or if someone would like to load recipe on CyberCher themself (on CyberChef page click on "Load recipe" icon in the "Recipe" window):

 

Find_/_Replace({'option':'Regex','string':'(.{2})'},'$1 ',true,false,true,false)
From_Hex('Space')
To_Base64('A-Za-z0-9+/=')

 

 

To decode to its hash value: decode base64, then convert to hex value and remove spaces:

 

gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)To_Hex('Space',0)Find_/_Replace(%7B'option':'Simple%20string','string':'%20'%7D,'',true,false,true,false)&input=YUllSDJQOFVURkFzZjF6L3F2NHN4WWpZWUhuNTNvZ3dUQ2F3eTVuT2tjWT0

 

or if someone would like to load recipe on CyberCher themself:

 

From_Base64('A-Za-z0-9+/=',true,false)
To_Hex('Space',0)
Find_/_Replace({'option':'Simple string','string':' '},'',true,false,true,false)

 

 

Reply
Alhizabi
Level 8
Report Inappropriate Content
Message 7 of 7
‎09-26-2022 11:29 PM

Re: Unable to set file reputation using API

Jump to solution

Thank you @jacek for the detailed solution! I have been trying to get my head around this for the past three weeks 😊.

 

I also really appreciate your CyberChef scripts, it helps a lot.

 

It is sad that these major steps are not shown there in the documentation page...

 

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC