I've been doing it all day and still can't find a solution..
I'm working with SA 7.3.4.
configured custom hash list via this guide -> https://origin-symwisedownload.symantec.com/resources/webguides/security_analytics/7.2/platform_webguide/desktop/ENG/Data_Enrichment/Providers/custom_hash_list.htm
now after I send a test file that I have entered to this list I can see in the reputation that custom hash list VERDICT=10
I have tried to create a rule (with syslog and mail alerts) that will catch all this "black" files..
hope you guys can help :)