Solved: Cisco Secure Endpoint exclusions or judgement help required

Martin Hatch · ‎02-08-2023

Hi,

Usually I don't have any issues creating exclusions for Cisco Secure Endpoint but now this detection that I started seeing lately doesn't seem to be excluded regardless of how I do it.

So basically we are running Secure Endpoint for Windows 7.5.5.21061, and we are deploying a third party EDR agent which usually is excluded without any problem. But recently, every time we are deploying a new machine, and when this machine receives the EDR deployment, we get those detections:

Alternate Data Stream Execution
Tactics - TA0005: Defense Evasion
Techniques - T1564.004: Hide Artifacts: NTFS File Attributes

I created Exclusions (Path, Process) for all files in relation to this EDR installation. In the Observables triggering the Compromise events the files hashes shows in green. But still those event gets populated in the default dashboard and I have to go in there regularly to mark them as resolved.

Now, should I be creating a Judgement instead of an exclusion? I found absolutely no documentations on Judgement and how they work up to now.

Any ideas how I should get these observables ignored? Am I not understanding something here?

Thanks!

Martin Hatch · ‎04-03-2023

It turns out that an exclusion based on the file path could not work. The Process Behavioral Protection exclusion based on File Hash worked. Thanks for your patience.

View solution in original post

Ken Stieers · ‎02-08-2023

Part of it is which thing is firing those detection. There are separate exclusion sets for the various engines.
Might want to open a TAC case to make sure...

Martin Hatch · ‎02-08-2023

Ok perfect I'll do so and post back with anything that could be useful for the community. Thank you!

Roman Valenta · ‎02-09-2023

Hi Martin,

As Ken suggested TAC case will be the best way to get to the bottom of this and figured out what engines trigger this detection. Unfortunately you did not share much details like screenshots form your AMP console from the event page and device trajectory event detail that could shine more light on this, also name of the 3rd party app would help as well.

Based just on the detection that you shared with us , this type of detection I seen usually when Behavioral Protection was triggered (BP)

Behavioral Protection monitors the following system activity:

• Processes.
• File events.
• Registry events.
• Network events.

So I wouldn't be surprised if the 3rd party EDR doing something to the protected files above and triggers the detection.

Temporary Remediation: Disable Behavioral Protection engine or move to Audit mode

Investigate adding Behavioral Protection exclusions.

-Roman

Martin Hatch · ‎02-13-2023

Here are some informations that might help you help me with this one. The agent is the CounterTack EDR.

The detection is as follows:

For now I have set the following exclusions and a couple more but the path is a bit strange to me. The file as shown above seems to be Green and Whitelisted:

I may not be picking the right type of exclusion for sure but how can I know which type it is?

Thanks a lot!

Troja007 · ‎02-14-2023

Hello @Martin Hatch ,
we might need to define the exclusions different. Looks like there is something is written as ADS Stream to the disk.

Greetings,
Thorsten

Martin Hatch · ‎02-14-2023

Would you happen to have any more info on how to do that? I have a Cisco Case opened I'll post back if I get an answer but if you have any suggestions I'm opened to it too. Thanks!

Martin Hatch · ‎04-03-2023

It turns out that an exclusion based on the file path could not work. The Process Behavioral Protection exclusion based on File Hash worked. Thanks for your patience.