A question from our Security Enginneer dealing with the VIE & INSIGHT CACHE Server:
When the VIE vietool. C: --generate --hash it sets a file attribute and sends hash values to the SIC.
Why would you want to use --hash to send to the SIC when the attribute should stop it from being further analyzed.
His concern is wasting cache space and redundant file exceptiosn and how to best utlize the space in the cache.
Is this a valid question?
If the hash changes, it means the file has been modified in some way (possibly compromised or tampered with by malware).
As per http://www.symantec.com/docs/TECH172218 - the hash is being send to SIC only when the -hash attribute is being used. By default for the files marked as clean the hash is not being forwarded to SIC. As mentioned by Brian this informaiton may be useful if the hash changes.