Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11148
Views
25
Helpful
21
Replies

exclude/whiteliste certain powershell commands

Go to solution
thomas.methlie
Level 1
Level 1

‎10-11-2019 01:31 AM - edited ‎02-20-2020 09:11 PM

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case. 

 

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

 

Regards,

Thomas

8 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Troja007
Cisco Employee
Cisco Employee

‎10-16-2019 04:47 AM

Opened a Feature Request for you.

Greetings,

Thorsten

View solution in original post

21 Replies 21

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-11-2019 03:10 AM

Are you looking to exclude this AMP for end point, here is the exclustiondocument to exclude certain extension as per the requirement,ent.

 

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
thomas.methlie
Level 1
Level 1
In response to balaji.bandi

‎10-11-2019 04:42 AM

thanks but that guide doesn´t provide any info on my problem. To be more precise, I don´t want to exclude powershell process or ps script files on a general basis

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee

‎10-16-2019 04:43 AM

Hello Thomas,

sorry to say, but, as explained in the documentation this is the way we can handle exclusions today. The best way is to report this missing feature to your Cisco Representative to open a Feature Request for this.

 

Just to be sure: You are getting a lot of IOCs?

 

Greetings,

Thorsten

0 Helpful

Go to solution
thomas.methlie
Level 1
Level 1
In response to Troja007

‎10-16-2019 06:32 AM

Hi,

yeah this is one of our largest sources of false positive alerts and spend quite some time cleaning up the dashboard. Could of course mute the events, but I don´t feel comfortable muting too much stuff.

 

Thanks for opening a Feature Request.

 

Regards,

Thomas

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to thomas.methlie

‎10-17-2019 04:54 AM

So,

what would help? Defining an exclusion with several parameters? 

Including:

  1. Path of the Process, Process name
  2. Hash and Signer
  3. Source where the file is downloaded from

Looks easy, but is much more development effort. The questions is, where to enforce.

  • Endpoint: We have to define how big the time window is the endpoint can monitor AND what the performance/resource impact on the endpoint is.
  • Backend: Changing the whole logic. This must be done for every customer, because exclusions will be different.
    • We also need some kind of "plausibility check" to avoid impacts in the backend based on wrong defined exclusions.

But finally, something which should be included in the product.

Cheers,

Thorsten

0 Helpful

Go to solution
thomas.methlie
Level 1
Level 1
In response to Troja007

‎10-22-2019 12:36 AM

Yes, the three parameters you mention is what I was initially thinking of.

If there is a need to assist in testing this, I would be happy to help.

 

Regards,

Thomas

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to thomas.methlie

‎10-23-2019 02:45 AM

Hello @thomas.methlie,

the only way today is, getting in contact with your Cisco Representative to open a Feature Request.

Greetings,

Thorsten

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee

‎10-16-2019 04:47 AM

Opened a Feature Request for you.

Greetings,

Thorsten

Go to solution
POAL
Level 1
Level 1
In response to Troja007

‎11-14-2019 12:43 PM

We're waiting with bated breath for this feature to come out as we have the same problem. We use powershell to deploy all our stuff and it triggers Cisco AMP on a weekly basis with false positives. It's causing alert fatigue for our analysts but we don't want to exclude ALL powershell.exe as some of them might in fact be malicious. Please please please give us this new feature that allows exclusions on specific powershell scripts. 

Thanks!

0 Helpful

Go to solution
rolszowy
Cisco Employee
Cisco Employee
In response to POAL

‎11-14-2019 01:28 PM

There is one option at the moment to exclude particular IOC by the TAC case.

Radek
0 Helpful

Go to solution
Shinku
Level 1
Level 1
In response to rolszowy

‎12-15-2020 10:41 AM

Can you elaborate? Where/how can we exclude by IOC?

0 Helpful

Go to solution
gmcclintick1
Level 1
Level 1
In response to Troja007

‎04-05-2021 10:39 AM

What is the feature request number?  Roadmap timing for this?

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to gmcclintick1

‎04-06-2021 02:22 AM

Hello,

this Feature Request is an internal one, and not public viewable. You may get in touch with your Cisco representative to get more insights into upcoming features in the product.

As the roadmap can always get updated, we do not publish this information in the community.

Greetings,

Thorsten

0 Helpful

Go to solution
Davedog
Level 1
Level 1
In response to Troja007

‎10-18-2022 05:52 AM

I saw the feature request was going in in 2019,  any update on it?

0 Helpful
Customers Also Viewed These Support Documents