Solved: Default Outlook Temp Exclusion

seanchoudhury · ‎05-03-2018

Hi,

We are seeing an issue where the default Cisco AMP exclusions for Outlook aren't enough because Outlook Temp is also under /private/var so it's scanning this location and we are getting inundated with Threat Detected notifications every time someone's Outlook receives an attachment. As guess my question is has anyone had success with excluding the /private/var Outlook Temp as well, this would have to be done with wildcards as the folder name is randomized.

--

Sean

Jetsy Mathew · ‎05-03-2018

Hello Sean

Do you have the MAC or Windows endpoint facing this issue ?

Just try the following if you are having a MAC workstation and let me know if this works. Compare the path with the one which you have.

Wildcard
/private/var/folders/*/*/*/com.microsoft.*/Outlook Temp

Regards

Jetsy

View solution in original post

Jetsy Mathew · ‎05-03-2018

Hello Sean

Do you have the MAC or Windows endpoint facing this issue ?

Just try the following if you are having a MAC workstation and let me know if this works. Compare the path with the one which you have.

Wildcard
/private/var/folders/*/*/*/com.microsoft.*/Outlook Temp

Regards

Jetsy

seanchoudhury · ‎05-04-2018

Thank you so much Jetsy!

We have all MAC endpoints and the file paths we are currently excluding are:

Wildcard: /Users/*/Documents/Microsoft User Data/Office 2011 Identities/*
Wildcard: /Users/*/Library/Group Containers/* Office/Outlook/Outlook 15 Profiles/*
Wildcard: /Users/*/Library/Caches/Outlook/*
Wildcard: /Users/*/Library/Caches/TemporaryItems/Outlook Temp/*kcIB*

Suggested by Cisco Support docs, so a follow up questions is can this be added to the defaults as I'd imagine anyone who manages MAC endpoints is going to have this same issue because Outlook is storing in the /private/var path as well.