Solved: AMP Exclusion and Application Whitelisting

balakrishnanbipin1 · ‎05-06-2021

Hello AMP Team,

Trying to understand the difference between AMP Exclusion and Application Whitelist.

When we would add an application/path or other

Troja007 · ‎05-06-2021

Hello @balakrishnanbipin1,
enclosed a short summary:

Scan Exclusions: Files/Path is not scanned, not hashed - related to any engine doing file scanning.
Process Exclusion: Anything done by a running process is not scanned.
Application Whitelisting: has an impact on two things
- Behavioral Engines (e.g. Machine Learning) exclude the hash
- The connector does no cloud lookup for the hash
Engine specific process exclusions: The exclusion works for a specific engine

Greetings,
Thorsten

View solution in original post

Troja007 · ‎05-06-2021

Hello @balakrishnanbipin1,
enclosed a short summary:

Scan Exclusions: Files/Path is not scanned, not hashed - related to any engine doing file scanning.
Process Exclusion: Anything done by a running process is not scanned.
Application Whitelisting: has an impact on two things
- Behavioral Engines (e.g. Machine Learning) exclude the hash
- The connector does no cloud lookup for the hash
Engine specific process exclusions: The exclusion works for a specific engine

Greetings,
Thorsten

balakrishnanbipin1 · ‎05-06-2021

Thanks Thorsten for the details. Appreciate it.

Example : "HostMachine detected but did not block (Audit mode) access to lsass.exe by MicrosoftDependencyAgent.exe"

To be more clear, if I have to Whitelist the Microsoft DependencyAgent, I did a right click and add to Application Whitelist in Outbreak filter. Is this a recommended solution or would I need to add the hash value under Exclusion System Process Exclusion

Need your advice.

Troja007 · ‎05-06-2021

Hello @balakrishnanbipin1,
it depends what was exactly detected and which Threat Type was detected. If you add the Application (hash) to the whitelist.

All File scanning is still done
There is no Cloud lookup done for the hash
Behavioral protection engine is still generating the Event Stream for the Engine
Machine Learning will exclude the hash

What Event Type have you seen in your console?

balakrishnanbipin1 · ‎05-06-2021

Hi,

That's a System Process Execution.

jmarcel2 · ‎04-20-2022

Hi Thorsten,

could you help me with issue we are facing? We use PatchMyPC-ScriptRunner.exe tool for software deployment/checks and this tool is creating a records in the registry similar to:

\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XYZ.exe

Cisco CSE is generating events due to the registry changes - The registry was updated to add a debugger to the key: Image File Execution Options.

Is there any way how to either mute or whitelist this activity? We have confirmation that usage of this tool is needed and necessary and that it is legitimate tool.

I've tried to add the hash to the application whitelist + create file scan exclusion, but we still receive events. Based on the event the detection was made by behavioral engine.

I would appreciate any help.

thanks

marcel

Troja007 · ‎04-21-2022

Hello @jmarcel2 ,
I assume the Backend is generating CloudIOC events here. If this is the case, you may open a TAC case, so we add an exclusions for you. BTW, we are already working on a solution, so customers can generate CloudIOC exclusions.

Greetings, Thorsten

Ken Stieers · ‎05-06-2021

Exclusions are "dont scan here", directory locations.
Application Whitelist is let this app run.

Sky.w3lker · ‎09-05-2021

Can I whitelist some specific application to run, and block everything else!!

Troja007 · ‎09-06-2021

Hello @Sky.w3lker,

no, such application management or integrity monitoring is actually out of focus for Secure Endpoint.

Greetings,
Thorsten