cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13418
Views
5
Helpful
9
Replies

AMP Exclusion and Application Whitelisting

Hello AMP Team,

 

Trying to understand the difference between AMP Exclusion and Application Whitelist. 

 

When we would add an application/path or other

1 Accepted Solution

Accepted Solutions

Troja007
Cisco Employee
Cisco Employee

Hello @balakrishnanbipin1,
enclosed a short summary: 

  • Scan Exclusions: Files/Path is not scanned, not hashed - related to any engine doing file scanning. 
  • Process Exclusion: Anything done by a running process is not scanned. 
  • Application Whitelisting: has an impact on two things
    • Behavioral Engines (e.g. Machine Learning) exclude the hash
    • The connector does no cloud lookup for the hash
  • Engine specific process exclusions: The exclusion works for a specific engine

Greetings,
Thorsten

View solution in original post

9 Replies 9

Troja007
Cisco Employee
Cisco Employee

Hello @balakrishnanbipin1,
enclosed a short summary: 

  • Scan Exclusions: Files/Path is not scanned, not hashed - related to any engine doing file scanning. 
  • Process Exclusion: Anything done by a running process is not scanned. 
  • Application Whitelisting: has an impact on two things
    • Behavioral Engines (e.g. Machine Learning) exclude the hash
    • The connector does no cloud lookup for the hash
  • Engine specific process exclusions: The exclusion works for a specific engine

Greetings,
Thorsten

Thanks Thorsten for the details. Appreciate it.

 

Example : "HostMachine detected but did not block (Audit mode) access to lsass.exe by MicrosoftDependencyAgent.exe"

 

To be more clear, if I have to Whitelist the Microsoft DependencyAgent, I did a right click and add to Application Whitelist in Outbreak filter. Is this a recommended solution or would I need to add the hash value under Exclusion System Process Exclusion

 

Need your advice.

 

 

Hello @balakrishnanbipin1,
it depends what was exactly detected and which Threat Type was detected. If you add the Application (hash) to the whitelist.

  • All File scanning is still done
  • There is no Cloud lookup done for the hash
  • Behavioral protection engine is still generating the Event Stream for the Engine
  • Machine Learning will exclude the hash

What Event Type have you seen in your console?

Hi,

 

That's a System Process Execution.

Hi Thorsten,

 

could you help me with issue we are facing? We use PatchMyPC-ScriptRunner.exe tool for software deployment/checks and this tool is creating a records in the registry similar to:

 

\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XYZ.exe

 

Cisco CSE is generating events due to the registry changes - The registry was updated to add a debugger to the key: Image File Execution Options.

 

Is there any way how to either mute or whitelist this activity? We have confirmation that usage of this tool is needed and necessary and that it is legitimate tool. 

 

I've tried to add the hash to the application whitelist + create file scan exclusion, but we still receive events. Based on the event the detection was made by behavioral engine.

 

I would appreciate any help.

 

thanks

marcel

Hello @jmarcel2 ,
I assume the Backend is generating CloudIOC events here. If this is the case, you may open a TAC case, so we add an exclusions for you. BTW, we are already working on a solution, so customers can generate CloudIOC exclusions.

Greetings, Thorsten

Exclusions are "dont scan here", directory locations.
Application Whitelist is let this app run.


Can I whitelist some specific application to run, and block everything else!!

Hello @Sky.w3lker,

no, such application management or integrity monitoring is actually out of focus for Secure Endpoint.

Greetings,
Thorsten