False positives from Cisco AMP

tyler.johnson · ‎11-19-2018

We have a downloadable executable that is being flagged. It is a signed Windows executable. Is it possible to register with Cisco as a whitelisted vendor so that executables with our signature don't trigger false positives? Is there any other option to prevent alarming the end user?

yogdhanu · ‎11-21-2018

Hi

You can add the SHA value of that to whitelist in your policy. If you believe the file is not malicious at all and should not be marked malicious globally, please open TAC case to request for FP analysis.

Hope it helps,

Yogesh

tyler.johnson · ‎11-21-2018

Global passing is what I'm interested in because I'm not a Cisco customer. I'm the creator of the file that is being flagged.

How would I go about opening a TAC case?

Aside from focusing on a specific file, is there a way to submit a signature to Cisco so that any file signed with that signature can pass as not malicious?

Jetsy Mathew · ‎11-22-2018

Hello Tyler

If you think the file is not malicious then you can add it to the whitelist option and you can allow this file in your environment. But if you are looking for a global passing, then Cisco TALOS will have to review the file and update the disposition only if the file is not malicious or not showing any high threat score. If the file is not showing any malicious behaviour then TALOS will do the needful. As an initial step you can open the case with Cisco TAC and they will involve the TALOS team to verify the same. Please provide the file sample along with the sha value while opening the case with Cisco TAC.

Regards

Jetsy

tyler.johnson · ‎11-22-2018

How do I open a case with Cisco TAC?

I tried calling Cisco support on the phone and they wouldn't help since I'm not a Cisco customer.