05-03-2018 05:53 AM - edited 03-08-2019 05:47 PM
The most consistent false positive i get in amp for endpoints is .tmp files from outlook. here is an example below. I'd like to be able to create some kind of exclusion to ignore this type of event. My thought was to make a process exclusion for outlook, but i'm not sure how much that opens me up to ignoring actual malware events. If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?
Thanks in advance
Detected Doc.
Created by OUTLOOK.
The file was not quarantined. Quarantined event missing.
File full path: C:\
Parent file age: 10 seconds.
Parent process id: 7296.
Parent process SID: S-1-5-21-3884477466-3354684103-1223720769-17275.
Detected by the SHA engines.
05-03-2018 06:07 AM
Hello ksleighter
What is the connector version that is in use ? If the user tries to open any malicious file , then amp will inspect and take the action accordingly. It would be great if you can open a service request and provide the diagnostics logs so that we can suggest you the best action plan.
Regards
Jetsy
05-03-2018 06:15 AM
Amp version - 6.1.3
I can open a service request if need be, but i didn't think it necessary. I don't have an actual malicious activity. Just false positives from tmp files created by outlook in C:\
My concern is if i whitelist outlook as a process to stop these false positives from coming up. My assumption is that it should be fine because an actual malicious file in an email would be created/activated by a process that isn't outlook. Unless i'm mistaken, which is what i'm asking. Just making sure i'm not opening myself up to security concerns. If i am, is there a better way to whitelist this action?
05-03-2018 07:40 AM
HI,
you stated: "If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?"
The file opens in associated application e.g. word. If the Word macro is malicious, than it can harm your computer. You should have file dynamic analysis configured in your AMP account, to mitigate zero day attacks.
Let me know, if I answered your question.
David
05-03-2018 07:51 AM
Hello ksleighter
This will be purely depending on the location where the attachment gets stored. I would recommend a path exclusion over a process exclusion in your case.
Regards
Jetsy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide