Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2510
Views
0
Helpful
1
Replies

AMP - False Positive

LoTeK
Level 1
Level 1

‎03-08-2019 01:48 PM - edited ‎02-20-2020 09:08 PM

So I have a user using excel with a macro/script and AMP keeps flagging VBA.ObfDldr.1.Gen How can I whitelist this file so it's not alerting 100x a day. The hash changes when they use the file.   

Labels:
0 Helpful
1 Reply 1

Wojciech Cecot
Cisco Employee
Cisco Employee

‎03-19-2019 11:13 AM

If that is IOC event then it can't be excluded or whitelisted, only muted. To suppress these alerts it is required to globally mute the IOC in the dashboard. To do so login to your AMP console, go to Dashboard > navigate to bottom > Compromise Events Types > you will see a bell icon > find the IOC you would like to mute and click that. More details:

https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G3.1750717

 

Disadvantage: mute of such event, will trigger mute as well for not false-positives.

 

Hope that helps,
-Wojciech

0 Helpful
Customers Also Viewed These Support Documents