topic AMP Exclusion and Application Whitelisting in Endpoint Security

AMP Exclusion and Application Whitelisting

balakrishnanbipin1 — Thu, 06 May 2021 07:08:45 GMT

Hello AMP Team,

Trying to understand the difference between AMP Exclusion and Application Whitelist.

When we would add an application/path or other

Re: AMP Exclusion and Application Whitelisting

Troja007 — Thu, 06 May 2021 08:25:45 GMT

Hello @balakrishnanbipin1,
enclosed a short summary:

Scan Exclusions: Files/Path is not scanned, not hashed - related to any engine doing file scanning.
Process Exclusion: Anything done by a running process is not scanned.
Application Whitelisting: has an impact on two things
- Behavioral Engines (e.g. Machine Learning) exclude the hash
- The connector does no cloud lookup for the hash
Engine specific process exclusions: The exclusion works for a specific engine

Greetings,
Thorsten

Re: AMP Exclusion and Application Whitelisting

balakrishnanbipin1 — Thu, 06 May 2021 08:57:38 GMT

Thanks Thorsten for the details. Appreciate it.

Example : "HostMachine detected but did not block (Audit mode) access to lsass.exe by MicrosoftDependencyAgent.exe"

To be more clear, if I have to Whitelist the Microsoft DependencyAgent, I did a right click and add to Application Whitelist in Outbreak filter. Is this a recommended solution or would I need to add the hash value under Exclusion System Process Exclusion

Need your advice.

Re: AMP Exclusion and Application Whitelisting

Troja007 — Thu, 06 May 2021 12:07:47 GMT

Hello @balakrishnanbipin1,
it depends what was exactly detected and which Threat Type was detected. If you add the Application (hash) to the whitelist.

All File scanning is still done
There is no Cloud lookup done for the hash
Behavioral protection engine is still generating the Event Stream for the Engine
Machine Learning will exclude the hash

What Event Type have you seen in your console?

Re: AMP Exclusion and Application Whitelisting

Ken Stieers — Thu, 06 May 2021 12:14:13 GMT

Exclusions are "dont scan here", directory locations.
Application Whitelist is let this app run.

Re: AMP Exclusion and Application Whitelisting

balakrishnanbipin1 — Thu, 06 May 2021 13:52:25 GMT

Hi,

That's a System Process Execution.

Re: AMP Exclusion and Application Whitelisting

Sky.w3lker — Sun, 05 Sep 2021 19:43:30 GMT

Can I whitelist some specific application to run, and block everything else!!

Re: AMP Exclusion and Application Whitelisting

Troja007 — Mon, 06 Sep 2021 11:19:26 GMT

Hello @Sky.w3lker,

no, such application management or integrity monitoring is actually out of focus for Secure Endpoint.

Greetings,
Thorsten

Re: AMP Exclusion and Application Whitelisting

jmarcel2 — Wed, 20 Apr 2022 12:06:12 GMT

Hi Thorsten,

could you help me with issue we are facing? We use PatchMyPC-ScriptRunner.exe tool for software deployment/checks and this tool is creating a records in the registry similar to:

\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XYZ.exe

Cisco CSE is generating events due to the registry changes - The registry was updated to add a debugger to the key: Image File Execution Options.

Is there any way how to either mute or whitelist this activity? We have confirmation that usage of this tool is needed and necessary and that it is legitimate tool.

I've tried to add the hash to the application whitelist + create file scan exclusion, but we still receive events. Based on the event the detection was made by behavioral engine.

I would appreciate any help.

thanks

marcel

Re: AMP Exclusion and Application Whitelisting

Troja007 — Thu, 21 Apr 2022 10:54:10 GMT

Hello @jmarcel2 ,
I assume the Backend is generating CloudIOC events here. If this is the case, you may open a TAC case, so we add an exclusions for you. BTW, we are already working on a solution, so customers can generate CloudIOC exclusions.

Greetings, Thorsten