cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2729
Views
0
Helpful
3
Replies

AMP Detects Itself as a Threat

phonehome
Level 1
Level 1

I was recently trying upgrade one of our machines from AMP version 6.0.9 to 6.2.3. AMP quarantined the setup file and detected it as W32.Generic.Malware. So I uninstalled the old version, restarted and installed the new version. As soon as I did that, I started getting more alerts that the setup file was detected as malware. What is going on here?

3 Replies 3

Troja007
Cisco Employee
Cisco Employee

Hello @phonehome,

yes, this ........ :-/
Can you please share the SHA256 hash of the file with me??

As a workaround, add the hash to the application whitelist and add an exclusion by SHA256.  I´m on a business trip until end of August. You may also open a TAC case for this. Would also be great to see a Screenshot of the event.

Finally, to take a look in any way, i need at least the hash value of the file.

Greetings,

Thorsten

quick question why would he have to add the file to application whitelist if he is excluding it. As i understand it if you whitelist a file it will still generate an event but will be allowed to execute. but if you exclude it. it is just allowed and no event is generated. Am i correct in this ?

Hello @Jim2k,

adding the installer to the whitelist was a workaround for the problem shown in this article. Normally, this should not be necessary. Based on my testing, the downloaded AMP connector Setup is not signed by a certificate, and is handled like every other unknown executable on the system.

The PE itself must be unique, because the included files like the policy, group ID and so on is always unique.

 

Application Whitelisting allows the file to be executed, if dynamic analysis detects activity. Have to check regarding the events.

Greetings,

Thorsten

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: