I have an executable file, I used sha256deep to generate a hash. I confirmed that hash with an upload to VirusTotal as well as generating a hash through 7zip. I added the sha256 hash to my blocklist. Updated the policy on my endpoint. I was still able to execute the application. Why?
The default is 1 hour, but you will need to verify against your policy settings. You can either wait for the cache to expire (time since last disposition lookup) or you can manually delete the cache for testing. The cache disposition will be used if it exists and is still 'alive' based on TTL for cache. There are a few actions that will change the cache in the event of a retrospective alert; however, blacklisting is not able to do this so you will need to either wipe the cache or wait for it to expire.
The cache for the lookup is still in effect. In order to test this, delete the cache files in the AMP directory. You will need to stop the service, delete the cache, then start the service up again and test.
When does the cache clear on its own? I assume this is not something I am going to have to do on 1000 endpoints every time I had a hash. There must be a time clearing of the cache, no?
The default is 1 hour, but you will need to verify against your policy settings. You can either wait for the cache to expire (time since last disposition lookup) or you can manually delete the cache for testing. The cache disposition will be used if it exists and is still 'alive' based on TTL for cache. There are a few actions that will change the cache in the event of a retrospective alert; however, blacklisting is not able to do this so you will need to either wipe the cache or wait for it to expire.
If you are using AMP4E standalone without AV make sure "Advanced Settings > File and Process Scan > On Execute Mode" in set to active otherwise it will initially permit execution.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
