Inconsistent Defender Search Results When Searching by Hash

%3CLINGO-SUB%20id%3D%22lingo-sub-2594387%22%20slang%3D%22en-US%22%3EInconsistent%20Defender%20Search%20Results%20When%20Searching%20by%20Hash%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594387%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20seeing%20inconsistent%20search%20results%20in%20Defender%20when%20searching%20for%20a%20file%20by%20hash.%20I%20saved%20a%20file%20to%20my%20desktop%20and%20sent%20it%20via%20email.%20I%20hashed%20the%20file%20with%20SHA1%2C%20SHA256%2C%20and%20MD5%20algorithms.%20When%20I%20perform%20searches%20in%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2F%3C%2FA%3E%26nbsp%3Bfor%20the%20MD5%20hash%20the%20search%20completely%20fails.%20When%20I%20search%20using%20the%20SHA256%20hash%20for%20the%20same%20file%20the%20search%20completes%20but%20finds%20no%20results.%20If%20I%20search%20for%20the%20SHA1%20value%20for%20the%20same%20file%2C%20the%20file%20is%20found%2C%20and%20it%20lists%20the%20SHA256%20and%20MD5%20values%20for%20the%20file%20that%20previously%20yielded%20no%20results%20or%20failed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20do%20the%20same%20searches%20in%20the%20M365%20portal%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%3C%2FA%3E)%20the%20MD5%20search%20still%20fails.%20The%20SHA256%20search%20finds%20an%20occurrence%20of%20the%20file%20in%20email%20but%20the%20result%20doesn't%20show%20any%20results%20for%20the%20file%20on%20endpoints.%20Searching%20for%20the%20SHA1%20hash%20of%20the%20file%20again%20finds%20the%20file%26nbsp%3B%20on%20the%20endpoint%20and%20email%20and%20also%20lists%20the%20corresponding%20SHA256%20and%20MD5%20but%20doesn't%20show%20any%20email%20results.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20encountered%20the%20same%20issue%3F%20This%20seems%20to%20be%20a%20bug%20in%20Microsoft's%20platform.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2594387%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Em365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2606152%22%20slang%3D%22en-US%22%3ERe%3A%20Inconsistent%20Defender%20Search%20Results%20When%20Searching%20by%20Hash%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2606152%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20support%20has%20confirmed%20that%20MD5%20searching%20is%20currently%20not%20working%20at%20all%20as%20indicated%20by%20the%20error%20message.%20They%20have%20also%20confirmed%20that%20searching%20using%20SHA256%20may%20produce%20inconsistent%20results.%20For%20the%20time%20being%20they%20have%20suggested%20only%20searching%20using%20SHA1.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in https://securitycenter.windows.com/ for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed.

 

If I do the same searches in the M365 portal (https://security.microsoft.com) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file  on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results.

 

Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.

1 Reply

Microsoft support has confirmed that MD5 searching is currently not working at all as indicated by the error message. They have also confirmed that searching using SHA256 may produce inconsistent results. For the time being they have suggested only searching using SHA1.