AMP for Endpoints Simple Custom Detection quarantine event missing

Paladin — Thu, 30 Sep 2021 18:19:51 GMT

According to Cisco Secure Endpoint documentation:

” A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and quarantine. Not only will an entry in a Simple Custom Detection list quarantine future files, but through Retrospective it will quarantine instances of the file on any endpoints in your organization that the service has already seen it on.”

I have added the hash SHA 256 49ebb7feff3bde78611e87adf6cf34b980284e8401c413f409dbb9e3b6d0b642 to Simple Custom Detection list. Cloud IOC: ExecutedMalware.ioc alert is still appearing. File is being detected by Simple_Custom_Detection and The file was not quarantined. Quarantine event missing message generates. Benign parent disposition is mentioned. Node belongs to protect policy with conviction modes listed below. Can someone please provide tips on how can I force quarantine?

Operating System Connector Version Install Date Definition Version Update Server

Windows 8.1 Enterprise
7.4.5.20701
2021-08-05 17:44:36 UTC

TETRA 64 bit (daily version: 85783)
tetra-defs.amp.cisco.com

driverupdate.exe, DriverUpdate 5.7.0.0 (49ebb7fe…b6d0b642)[PE_Executable] was Executed by explorer.exe, Microsoft® Windows® Operating System 6.3.9600.18460 (d2faf086…20844fae)[PE_Executable] .

Detected as Simple_Custom_Detection.

The file was not quarantined. Quarantine event missing.

Benign parent disposition.

File full path: c:\program files\driverupdate\driverupdate.exe

File SHA-1: 0a555ca92f6bebb71a511fd413d6a89c3cc8da3b.

File MD5: 3e63ff39aa3392d6865543f97bd3613f.

File size: 32502872 bytes.

File signed by Slimware Utilities Holdings, Inc. with certificate serial 3063b3a740c1cdfdf8bb9e6c331ad7de from VeriSign Class 3 Code Signing 2010 CA. Expired 23:59:59, Mon Jan 7 2019 UTC.

File cert MD5: 51d9a726e9b891ddd3171aa8cbc0e5c4.

File cert SHA-1: 33e24fe66e0117fdd4278699ad423ef2669fd258.

Parent file SHA-1: b642e9fcfac93f219d07bb6d530eb1de9efeb511.

Parent file MD5: ed6b4c95e2a6d67480b9dbb8a8e7d9b4.

Parent file size: 2755504 bytes.

Parent file signed by Microsoft Windows with certificate serial 33000000bce120fdd27cc8ee930000000000bc from Microsoft Windows Production PCA 2011. Expired 17:15:28, Fri Nov 18 2016 UTC.

Parent file cert MD5: 747a40b8593fdb7977bf60ba6f06778b.

Parent file cert SHA-1: e85459b23c232db3cb94c7a56d47678f58e8e51e.

topic AMP for Endpoints Simple Custom Detection quarantine event missing in Endpoint Security

AMP for Endpoints Simple Custom Detection quarantine event missing