Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Inconsistent Defender Search Results When Searching by Hash

Copper Contributor

I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in https://securitycenter.windows.com/ for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed.

 

If I do the same searches in the M365 portal (https://security.microsoft.com) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file  on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results.

 

Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.

4 Replies

Microsoft support has confirmed that MD5 searching is currently not working at all as indicated by the error message. They have also confirmed that searching using SHA256 may produce inconsistent results. For the time being they have suggested only searching using SHA1.

Has there been an update on this issue?
This is quite problematic and it would be nice to see a post resolving the matter??

@Deleted I think this is still the case, the resolution seems to be always use SHA1.  At least, the API docs say to always use SHA1, and I have seen the same sort of inconsistent results searching with other hashes.

Thanks for the update.

Yes, this is a problem... especially given IOC's are usually given as SHA256.
My life just got more complicated.