03-10-2023 04:33 AM
Hello everybody, everyday when I access my Cisco AMP tool I find some case where the file that is alerting has been already been put in quarantine before.
I imagine that I must been doing something wrong in my exclusion list or some similar mistake.
Can someone help me with this problem?
Solved! Go to Solution.
03-13-2023 07:07 AM
Considering it is a legitimate alert at the time it occurs, not really. One potential I see is if you set up a script to use an event stream, look for events on the same hash and mark them as quarantined in your output. You can find a starter script for event streams here.
03-10-2023 05:35 AM
Could you provide more information on what you mean with a screenshot?
03-10-2023 09:03 AM
Hi Matthew, basically what is happening is that I receive some alerts in the endpoint but when I see the path the file is already in the quarantine.
I'll try to send here some screenshots
03-10-2023 09:21 AM
Most likely what is happening is that Secure Endpoint attempts to quarantine a file but the parent process (Chrome for example if it is being downloaded from a browser) still has a handle on it. This would trigger a Quarantine Failure event since we are not able to quarantine the file at that time. Then, as soon as the handle is available, we are able to quarantine the file successfully so you will also have a corresponding Quarantine Success event.
03-13-2023 06:36 AM
Thank you for your explanation Matthew, that is any secure way that I can prevent my AMP for reporting this type of notification ?
03-13-2023 07:07 AM
Considering it is a legitimate alert at the time it occurs, not really. One potential I see is if you set up a script to use an event stream, look for events on the same hash and mark them as quarantined in your output. You can find a starter script for event streams here.
03-13-2023 07:10 AM
OK, thank you very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide