topic Re: Reverse AMP File Conviction in Endpoint Security https://community.cisco.com/t5/endpoint-security/reverse-amp-file-conviction/m-p/4412460#M6153 <P>Hello,</P> <P>&nbsp;</P> <P>You might need to check on the event details to see which engine (such as MAP or Exprev etc.) is blocking the application.</P> <P>You can try and make any of the below methods to avoid any conviction for the files:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Scan Exclusions:</STRONG><SPAN>&nbsp;</SPAN>Files/Path is not scanned, not hashed - related to any engine doing file scanning.&nbsp;</LI> <LI><STRONG>Process Exclusion:</STRONG><SPAN>&nbsp;</SPAN>Anything done by a running process is not scanned.&nbsp;</LI> <LI><STRONG>Application Whitelisting:</STRONG><SPAN>&nbsp;</SPAN>has an impact on two things <UL> <LI>Behavioral Engines (e.g. Machine Learning) exclude the hash</LI> <LI>The connector does no cloud lookup for the hash</LI> </UL> </LI> <LI><STRONG>Engine specific process exclusions:</STRONG><SPAN>&nbsp;</SPAN>The exclusion works for a specific engine</LI> </UL> <P>&nbsp;</P> <P>I hope the above helps.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Pratham</P> Thu, 03 Jun 2021 09:06:06 GMT ppreenja 2021-06-03T09:06:06Z Reverse AMP File Conviction https://community.cisco.com/t5/endpoint-security/reverse-amp-file-conviction/m-p/4406696#M6144 <P>Hey People,</P><P>&nbsp;</P><P>My Engineering department makes custom applications, and uses GIT sources for applications. Most of the time they're doing things as will, and AMP is convicting these applications as Malicious before I can whitelist the applications. How can i reverse the convictions? Adding the applications to the application allowed list doesn't stop the AMP from blocking them and quarantining the applications.</P><P>&nbsp;</P><P>Any help would be appreciated, thanks.</P> Fri, 21 May 2021 15:31:31 GMT https://community.cisco.com/t5/endpoint-security/reverse-amp-file-conviction/m-p/4406696#M6144 ITGuyCSI25 2021-05-21T15:31:31Z Re: Reverse AMP File Conviction https://community.cisco.com/t5/endpoint-security/reverse-amp-file-conviction/m-p/4412460#M6153 <P>Hello,</P> <P>&nbsp;</P> <P>You might need to check on the event details to see which engine (such as MAP or Exprev etc.) is blocking the application.</P> <P>You can try and make any of the below methods to avoid any conviction for the files:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Scan Exclusions:</STRONG><SPAN>&nbsp;</SPAN>Files/Path is not scanned, not hashed - related to any engine doing file scanning.&nbsp;</LI> <LI><STRONG>Process Exclusion:</STRONG><SPAN>&nbsp;</SPAN>Anything done by a running process is not scanned.&nbsp;</LI> <LI><STRONG>Application Whitelisting:</STRONG><SPAN>&nbsp;</SPAN>has an impact on two things <UL> <LI>Behavioral Engines (e.g. Machine Learning) exclude the hash</LI> <LI>The connector does no cloud lookup for the hash</LI> </UL> </LI> <LI><STRONG>Engine specific process exclusions:</STRONG><SPAN>&nbsp;</SPAN>The exclusion works for a specific engine</LI> </UL> <P>&nbsp;</P> <P>I hope the above helps.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Pratham</P> Thu, 03 Jun 2021 09:06:06 GMT https://community.cisco.com/t5/endpoint-security/reverse-amp-file-conviction/m-p/4412460#M6153 ppreenja 2021-06-03T09:06:06Z