Gravity Zone Software Execution Policy Bypass

Moisés Cerqueira
Moisés Cerqueira Network Security Analyst | Threat Hunter

Hi guys, all right? During the last week, I've been testing some features of GravityZone and one of them was the program execution blocking policy.

From what I verified, we can block the execution of a software both by the absolute path and by the Hash (MD5/SHA).

I used an EDR test file without changes and it was blocked; however after I used the program "MD5-Hash-Changer" to change the hash value of the .exe, I was able to run it without major problems.

Is there any way to counter this technique?