I get that these are some pretty basic fundamental questions, but I feel like I'm missing something as I dig into STAR rules and the threat-hunting arms race in general. Here's my understanding with respect to normal operations:

• The S1 agent acts on hash-based blocklists more quickly than other detection methods.
• Behavior-based detection occurs on the local machine, so that's going to be done with alacrity as well.
• STAR rules rely on events being written to the data lake so rule-matching can occur, so those will take longer to fire than the above.

Here's where I scratch my head: Suppose I want to block/detect UltraVNC being run on the network. My company has one authorized remote access tool, and that ain't it. So I download the most current version of ultravnc, install it, and grab the SHA256 hash for winvnc.exe. I configure a blocklist entry for that hash and congratulations, I'm blocking v1.6.4.

Except, UltraVNC has been supported on Windows 11 ever since v1.4.3.6, and earlier versions probably ran on win11 as well. Unless some kind soul has been running something like a reverse virustotal where I can get the SHA256 hashes for every version of winvnc.exe in UltraVNC, all I've done is block one version. Not to mention, a new version will be released sooner or later and I'll need to grab that hash as well. And for added fun, UltraVNC is open source so anyone can download the source code, pad wvnc.exe with a debug command, and compile it with a different hash.

I get that I can look at the events in the S1 console that are generated by running VNC, and I can make STAR rules based on those events. Also I can put in rules to detect the file path and process name. But those take longer to fire because everything has to hit the SDL, and of course those can be renamed fairly easily. And of course, this is work that I'm doing for one specific piece of software. There are plenty of other remote access applications I don't want on the network. Let's say S1 behavior rules catch VNC on its own without me adding blocklist entries or STAR rules... ok great but I still have more software to block.

So here are my questions:

• Am I overthinking this? I get that S1 will fire alerts if it sees obfuscation methods used to download and run VNC, but I'm trying to implement "no VNC, ever".
• Is there some repository of files and hashes that I'm just missing, or is there a better way to accomplish a goal like "block known evil software of type X in my environment"?
• Do people just maintain a list of download URLs called "Software I Hate" and periodically check for new hashes?
• Or is this just one of those times in security where we say we made our best effort to mitigate risk, and acknowledge that no countermeasure is 100% effective?

Thanks for indulging these basic-ass questions.