cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3612
Views
0
Helpful
4
Replies

Amp for end points false positive - outlook .tmp files

ksleighter
Level 1
Level 1

The most consistent false positive i get in amp for endpoints is .tmp files from outlook. here is an example below. I'd like to be able to create some kind of exclusion to ignore this type of event. My thought was to make a process exclusion for outlook, but i'm not sure how much that opens me up to ignoring actual malware events. If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?

 

Thanks in advance

 

Detected Doc.Dropper.Valyria.95.sbx.tg within tmpCB94.tmp (fedc4c62…c403b49f)[Binary Data] . Detected inner file (7c180005…4c5b13d0)[MS OLE2 CF].

Created by OUTLOOK.EXE (00000000…00000000)[Unknown] executing as USER@DOMAIN.

The file was not quarantined. Quarantined event missing.


File full path: C:\UsersUSER\AppData\Local\Temp\tmpCB94.tmp

Parent file age: 10 seconds.

Parent process id: 7296.

Parent process SID: S-1-5-21-3884477466-3354684103-1223720769-17275.

Detected by the SHA engines.

4 Replies 4

Jetsy Mathew
Cisco Employee
Cisco Employee