08-09-2018 08:37 AM - edited 02-20-2020 09:06 PM
I have an executable file, I used sha256deep to generate a hash. I confirmed that hash with an upload to VirusTotal as well as generating a hash through 7zip. I added the sha256 hash to my blocklist. Updated the policy on my endpoint. I was still able to execute the application. Why?
Solved! Go to Solution.
08-15-2018 06:27 AM
The default is 1 hour, but you will need to verify against your policy settings. You can either wait for the cache to expire (time since last disposition lookup) or you can manually delete the cache for testing. The cache disposition will be used if it exists and is still 'alive' based on TTL for cache. There are a few actions that will change the cache in the event of a retrospective alert; however, blacklisting is not able to do this so you will need to either wipe the cache or wait for it to expire.
08-09-2018 10:54 AM
08-09-2018 11:16 AM
When does the cache clear on its own? I assume this is not something I am going to have to do on 1000 endpoints every time I had a hash. There must be a time clearing of the cache, no?
08-15-2018 06:03 AM
Hi,
you can find the cache settings directly in the AMP policy.
Cheers
08-15-2018 06:27 AM
The default is 1 hour, but you will need to verify against your policy settings. You can either wait for the cache to expire (time since last disposition lookup) or you can manually delete the cache for testing. The cache disposition will be used if it exists and is still 'alive' based on TTL for cache. There are a few actions that will change the cache in the event of a retrospective alert; however, blacklisting is not able to do this so you will need to either wipe the cache or wait for it to expire.
04-27-2020 04:58 AM
If you are using AMP4E standalone without AV make sure "Advanced Settings > File and Process Scan > On Execute Mode" in set to active otherwise it will initially permit execution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide