The most consistent false positive i get in amp for endpoints is .tmp files from outlook. here is an example below. I'd like to be able to create some kind of exclusion to ignore this type of event. My thought was to make a process exclusion for outlook, but i'm not sure how much that opens me up to ignoring actual malware events. If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?
Thanks in advance
Detected Doc.Dropper.Valyria.95.sbx.tg within tmpCB94.tmp (fedc4c62…c403b49f)[Binary Data] . Detected inner file (7c180005…4c5b13d0)[MS OLE2 CF].
Created by OUTLOOK.EXE (00000000…00000000)[Unknown] executing as USER@DOMAIN.
The file was not quarantined. Quarantined event missing.
File full path: C:\UsersUSER\AppData\Local\Temp\tmpCB94.tmp
Parent file age: 10 seconds.
Parent process id: 7296.
Parent process SID: S-1-5-21-3884477466-3354684103-1223720769-17275.
Detected by the SHA engines.