Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3327
Views
0
Helpful
4
Replies

Amp for end points false positive - outlook .tmp files

ksleighter
Level 1
Level 1

‎05-03-2018 05:53 AM - edited ‎03-08-2019 05:47 PM

The most consistent false positive i get in amp for endpoints is .tmp files from outlook. here is an example below. I'd like to be able to create some kind of exclusion to ignore this type of event. My thought was to make a process exclusion for outlook, but i'm not sure how much that opens me up to ignoring actual malware events. If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?

 

Thanks in advance

 

Detected Doc.Dropper.Valyria.95.sbx.tg within tmpCB94.tmp (fedc4c62…c403b49f)[Binary Data] . Detected inner file (7c180005…4c5b13d0)[MS OLE2 CF].

Created by OUTLOOK.EXE (00000000…00000000)[Unknown] executing as USER@DOMAIN.

The file was not quarantined. Quarantined event missing.

File full path: C:\UsersUSER\AppData\Local\Temp\tmpCB94.tmp

Parent file age: 10 seconds.

Parent process id: 7296.

Parent process SID: S-1-5-21-3884477466-3354684103-1223720769-17275.

Detected by the SHA engines.

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Jetsy Mathew
Cisco Employee
Cisco Employee

‎05-03-2018 06:07 AM

Hello  ksleighter

 

What is the connector version that is in use ? If the user tries to open any malicious file , then amp will  inspect and take the action accordingly. It would be great if you can open a service request and provide the diagnostics logs so that we can suggest you the best action plan. 

 

Regards

Jetsy 

0 Helpful

ksleighter
Level 1
Level 1
In response to Jetsy Mathew

‎05-03-2018 06:15 AM

Amp version - 6.1.3

 

I can open a service request if need be, but i didn't think it necessary. I don't have an actual malicious activity. Just false positives from tmp files created by outlook in  C:\Users\USER\AppData\Local\Temp\

 

My concern is if i whitelist outlook as a process to stop these false positives from coming up. My assumption is that it should be fine because an actual malicious file in an email would be created/activated by a process that isn't outlook. Unless i'm mistaken, which is what i'm asking. Just making sure i'm not opening myself up to security concerns. If i am, is there a better way to whitelist this action?

0 Helpful

David Janulik
Cisco Employee
Cisco Employee
In response to ksleighter

‎05-03-2018 07:40 AM

HI,

 

you stated: "If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?"

The file opens in associated application e.g. word. If the Word macro is malicious, than it can harm your computer. You should have file dynamic analysis configured in your AMP account, to mitigate zero day attacks.

 

Let me know, if I answered your question.

 

David

Cyber security escalation engineer
0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to ksleighter

‎05-03-2018 07:51 AM

Hello ksleighter

 

This will be purely depending on the location where the attachment gets stored. I would recommend a path exclusion over a process exclusion in your case.

 

Regards

Jetsy 

0 Helpful
Customers Also Viewed These Support Documents