The reason for the failure is that detections for MD5 signatures must be configured in the advanced custom detection policies, not in the simple detection policy section. The simple detection policy section allows users to create a list of SHA-256 hashes of files that they want to block or quarantine on the endpoints. The SHA-256 hash is a more secure and unique identifier of a file than the MD5 hash, which can have collisions or duplicates. The advanced custom detection policy section allows users to create more complex and flexible rules to detect and block files based on various criteria, such as file name, size, type, signature, or MD5 hash. The advanced custom detection policy section also supports wildcards and regular expressions to match multiple files or patterns. Therefore, if the administrator wants to add specific MD5 signatures to the custom detection policy, they should use the advanced custom detection policy section instead of the simple detection policy section.
[References:, Configure a Simple Custom Detection List on the AMP for Endpoints Portal - Cisco, Step 4: On the Add SHA-256 option, paste the SHA-256 code previously collected from the specific file you want to block, as shown in the image., Create an Advanced Custom Detection List in Cisco Secure Endpoint - Cisco, Step 3: Next, Edit that new Signature Set, and Add Signature. Win.Exploit.CVE_2020_0601:1::06072A8648CE3D02010606072A8648CE3D020130., , ]
Submit