Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2649
Views
0
Helpful
6
Replies

Issues excluding a custom application from being scanned

Marius Gunnerud
VIP
VIP

‎09-15-2016 06:57 AM - edited ‎02-20-2020 09:01 PM

As the title  says, I am having problems excluding a custom application from being scanned.  I have added the file path with a wild card (*) as well as the .exe file location (just for testing) without success.  Once the application is installed it is scanned and some components deleted.  the install location is under "Users" and not Program Files.  I am starting to think that it is installing some files elsewhere as well.

C:\Users\*\Mapis Data Input Tool

Any ideas what might be going wrong? is my syntax incorrect for the exclusion? or perhaps I should be placing this under Path instead of Wildcard?

--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
6 Replies 6

aledipas
Cisco Employee
Cisco Employee

‎09-15-2016 07:07 AM

The exclusion looks like a valid wildcard. Be sure that your endpoint policy has actually updated and has the exclusion you have added to your list (you can check this under the settings in the UI).

If you have any detection events you will want to compare those against you exclusion to be sure that multiple paths aren't in use.

Thanks

0 Helpful

george.seah
Level 1
Level 1

‎09-15-2016 08:36 PM

Hello Marius,

For application whitelisting, it will be better if you define under Outbreak Control > Application Control - Whitelisting. Upload the application file into the Cloud Console or you may add the SHA-256 value manually for file exclusion.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to george.seah

‎09-15-2016 11:43 PM

Thank you for your replies and suggestions.  I wont be able to test any of this until Monday, but will get back to you then with an update.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP
In response to george.seah

‎09-28-2016 07:24 AM

I tried adding the SHA value under application control whitelisting but did not work.  what happens is that I install the program via a .exe file and then once installed and I try to run it, it gets blocked.

I hope to get some more time tomorrow to test possible solutions.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎10-06-2016 06:01 AM

Marius,

Were you able to perform additional testing and check the detection events as Alex suggested?  

Thanks,

-Matt

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Matthew Franks

‎10-06-2016 06:05 AM

I have not yet had time to check the detection events.  I have however added the two sha values that were shown as blocked to whitelist. without any success.

I have been swamped with other cases which have taken priority over this so I will be coming back to this once the load lightens.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents