Challenge 20: The Empty Hash Database

Easy Advanced Bypass Target: Rule 6

Objective

Discover that Rule 6 (hash-based detection) is disabled by default — without the --signatures flag, it has no hashes to compare against.

Scanner Behavior

Without --signatures, the signature database is empty:

var gSignatureHashes: seq[string] = @[]

proc ruleHashCheck(info: ProcessInfo): seq[Detection] =
  if gSignatureHashes.len == 0:
    return  # exits immediately — checks nothing

The banner displays this openly: [6] Hash-Based Detection (0 hashes) [EMPTY - use --signatures]

Rules

  • Start the EDR without the --signatures flag
  • Run any binary (malicious or not)
  • Confirm that Rule 6 never triggers
  • Explain why the rule is useless without signatures loaded

Hints

Hint 1 Look at the banner output — it tells you exactly how many signatures are loaded.
Hint 2 Without --signatures, gSignatureHashes is an empty sequence. The ruleHashCheck function returns immediately.
Hint 3 Even with --signatures loaded, there are still bypass techniques (Challenges 29-32). But without it, Rule 6 is pure security theater — it appears in the feature list but does absolutely nothing.