topic When I build a new .exe CISCO Secure Endpoint quarantines the new .exe in User and Endpoint Protection

When I build a new .exe CISCO Secure Endpoint quarantines the new .exe

simon.fuller — Mon, 21 Feb 2022 05:54:05 GMT

I'm a developer, when I compile/link a new programs (.exe) using Visual Studio, the new .exe is built, but CISCO Secure Endpoint quarantines (deletes) the new .exe
What do I have to ask my IT department to do to allow me to build new .exe files for my work?
Maybe I should just remove CISCO Secure Endpoint if it can't allow developers to do their work.
But then IT might have find another application to do security.
I think whitelisting is a vitally important security feature, but I don't think the authors of CISCO Secure Endpoint have really thought through the implementation for developers.

Re: When I build a new .exe CISCO Secure Endpoint quarantines the new

Brian Sak — Tue, 01 Mar 2022 03:27:33 GMT

This behavior is unexpected. Unless it detects the newly create executable as a threat, it shouldn't quarantine it. In your AMP for Endpoints Connector there should be a log that shows why a specific file was deleted/quarantined. If it's misclassifying your new executable, you can have your IT department omit specific directories that you can then use to create and build your new apps.

Re: When I build a new .exe CISCO Secure Endpoint quarantines the new

simon.fuller — Tue, 01 Mar 2022 03:39:20 GMT

Hi Brian,
The CISCO Secure Endpoint logs indicate:
Detection Name: Gen:Variant.Bulz.372626
File Path:
Installed By: C:\Program Files(x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Roslyn\VBCSCompiler.exe
It's a simple command line program that writes a text argument to a log file.
WhiteListing is a really important security feature, but it has to allow programmers to create new programs.
Most IT support staff, don't every write their own programs, so they don't really understand how new programs get made. (Hint: They don't grow by themselves on a Cloud farm)

[cid:image001.png@01D82D79.6E114D30]
Si

Re: When I build a new .exe CISCO Secure Endpoint quarantines the new

Brian Sak — Tue, 01 Mar 2022 14:03:54 GMT

Agreed, this seems like a false positive. The administrator of your AMP installation can either put in an exemption for that particular threat or they can exempt your working directory altogether. More details can be found here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html