cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3637
Views
0
Helpful
4
Replies

Amp for end points false positive - outlook .tmp files

ksleighter
Level 1
Level 1

The most consistent false positive i get in amp for endpoints is .tmp files from outlook. here is an example below. I'd like to be able to create some kind of exclusion to ignore this type of event. My thought was to make a process exclusion for outlook, but i'm not sure how much that opens me up to ignoring actual malware events. If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?

 

Thanks in advance

 

Detected Doc.Dropper.Valyria.95.sbx.tg within tmpCB94.tmp (fedc4c62…c403b49f)[Binary Data] . Detected inner file (7c180005…4c5b13d0)[MS OLE2 CF].

Created by OUTLOOK.EXE (00000000…00000000)[Unknown] executing as USER@DOMAIN.

The file was not quarantined. Quarantined event missing.


File full path: C:\UsersUSER\AppData\Local\Temp\tmpCB94.tmp

Parent file age: 10 seconds.

Parent process id: 7296.

Parent process SID: S-1-5-21-3884477466-3354684103-1223720769-17275.

Detected by the SHA engines.

4 Replies 4

Jetsy Mathew
Cisco Employee
Cisco Employee

Hello  ksleighter

 

What is the connector version that is in use ? If the user tries to open any malicious file , then amp will  inspect and take the action accordingly. It would be great if you can open a service request and provide the diagnostics logs so that we can suggest you the best action plan. 

 

Regards

Jetsy 

Amp version - 6.1.3

 

I can open a service request if need be, but i didn't think it necessary. I don't have an actual malicious activity. Just false positives from tmp files created by outlook in  C:\Users\USER\AppData\Local\Temp\

 

My concern is if i whitelist outlook as a process to stop these false positives from coming up. My assumption is that it should be fine because an actual malicious file in an email would be created/activated by a process that isn't outlook. Unless i'm mistaken, which is what i'm asking. Just making sure i'm not opening myself up to security concerns. If i am, is there a better way to whitelist this action?

HI,

 

you stated: "If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?"

The file opens in associated application e.g. word. If the Word macro is malicious, than it can harm your computer. You should have file dynamic analysis configured in your AMP account, to mitigate zero day attacks.

 

Let me know, if I answered your question.

 

David

Cyber security escalation engineer

Hello ksleighter

 

This will be purely depending on the location where the attachment gets stored. I would recommend a path exclusion over a process exclusion in your case.

 

Regards

Jetsy