Blocking bad hashes prevents further propagation of an attack by blocking potentially malicious processes/files by their hash values. All EDR vendors block execution of the process by its hash. Some vendors also prevent the file itself from being read or written to. Some vendors ban shared libraries (DLLs) but not all vendors do this.
Some EDR vendors refer to this action as ‘application blocking’, ‘ban hashes’, ‘blacklist hashes’, or even ‘indicator based file blocking’. Also, depending on the vendor and the endpoint system, there can be a couple of minutes of latency between the time the action is taken and prevention being set in place.
We rely on customer contexts for setting up auto-remediation settings. You specify which assets to never block (deny list). Bad hashes are blocked for malicious hashes identified during an investigation.
We automate the remediation action itself and not the decision to remediate. Our analysts are making the call on when and what to remediate, based on the settings you specify. You can also undo any remediation by clicking the Undo button, easily available in Workbench. This gives you control over your environment.