topic Re: AMP - False Positive in Endpoint Security https://community.cisco.com/t5/endpoint-security/amp-false-positive/m-p/3822272#M3087 <P>If that is IOC event then it can't be excluded or whitelisted, only muted. To suppress these alerts it is required to globally mute the IOC in the dashboard. To do so login to your AMP console, go to Dashboard &gt; navigate to bottom &gt; Compromise Events Types &gt; you will see a bell icon &gt; find the IOC you would like to mute and click that. More details:</P> <P><A href="https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G3.1750717" target="_blank">https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G3.1750717</A></P> <P>&nbsp;</P> <P>Disadvantage: mute of such event, will trigger mute as well for not false-positives.</P> <P>&nbsp;</P> <P>Hope that helps,<BR />-Wojciech</P> Tue, 19 Mar 2019 18:13:58 GMT Wojciech Cecot 2019-03-19T18:13:58Z AMP - False Positive https://community.cisco.com/t5/endpoint-security/amp-false-positive/m-p/3816562#M3083 <P>So I have a user using excel with a macro/script and AMP keeps flagging&nbsp;<STRONG>VBA.ObfDldr.1.Gen</STRONG>&nbsp;How can I whitelist this file so it's not alerting 100x a day. The hash changes when they use the file.&nbsp; &nbsp;</P> Fri, 21 Feb 2020 05:08:16 GMT https://community.cisco.com/t5/endpoint-security/amp-false-positive/m-p/3816562#M3083 LoTeK 2020-02-21T05:08:16Z Re: AMP - False Positive https://community.cisco.com/t5/endpoint-security/amp-false-positive/m-p/3822272#M3087 <P>If that is IOC event then it can't be excluded or whitelisted, only muted. To suppress these alerts it is required to globally mute the IOC in the dashboard. To do so login to your AMP console, go to Dashboard &gt; navigate to bottom &gt; Compromise Events Types &gt; you will see a bell icon &gt; find the IOC you would like to mute and click that. More details:</P> <P><A href="https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G3.1750717" target="_blank">https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G3.1750717</A></P> <P>&nbsp;</P> <P>Disadvantage: mute of such event, will trigger mute as well for not false-positives.</P> <P>&nbsp;</P> <P>Hope that helps,<BR />-Wojciech</P> Tue, 19 Mar 2019 18:13:58 GMT https://community.cisco.com/t5/endpoint-security/amp-false-positive/m-p/3822272#M3087 Wojciech Cecot 2019-03-19T18:13:58Z