- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2019 01:31 AM - edited 02-20-2020 09:11 PM
Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:
C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))
This being an obvious red flag triggers AMP, but gives a lot of false positives in this case.
Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??
Regards,
Thomas
Solved! Go to Solution.
- Labels:
-
Endpoint Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 04:47 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2019 03:10 AM
Are you looking to exclude this AMP for end point, here is the exclustiondocument to exclude certain extension as per the requirement,ent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2019 04:42 AM
thanks but that guide doesn´t provide any info on my problem. To be more precise, I don´t want to exclude powershell process or ps script files on a general basis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 04:43 AM
Hello Thomas,
sorry to say, but, as explained in the documentation this is the way we can handle exclusions today. The best way is to report this missing feature to your Cisco Representative to open a Feature Request for this.
Just to be sure: You are getting a lot of IOCs?
Greetings,
Thorsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 06:32 AM
Hi,
yeah this is one of our largest sources of false positive alerts and spend quite some time cleaning up the dashboard. Could of course mute the events, but I don´t feel comfortable muting too much stuff.
Thanks for opening a Feature Request.
Regards,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2019 04:54 AM
So,
what would help? Defining an exclusion with several parameters?
Including:
- Path of the Process, Process name
- Hash and Signer
- Source where the file is downloaded from
Looks easy, but is much more development effort. The questions is, where to enforce.
- Endpoint: We have to define how big the time window is the endpoint can monitor AND what the performance/resource impact on the endpoint is.
- Backend: Changing the whole logic. This must be done for every customer, because exclusions will be different.
- We also need some kind of "plausibility check" to avoid impacts in the backend based on wrong defined exclusions.
But finally, something which should be included in the product.
Cheers,
Thorsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2019 12:36 AM
Yes, the three parameters you mention is what I was initially thinking of.
If there is a need to assist in testing this, I would be happy to help.
Regards,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2019 02:45 AM
Hello @thomas.methlie,
the only way today is, getting in contact with your Cisco Representative to open a Feature Request.
Greetings,
Thorsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 04:47 AM
Opened a Feature Request for you.
Greetings,
Thorsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2019 12:43 PM
We're waiting with bated breath for this feature to come out as we have the same problem. We use powershell to deploy all our stuff and it triggers Cisco AMP on a weekly basis with false positives. It's causing alert fatigue for our analysts but we don't want to exclude ALL powershell.exe as some of them might in fact be malicious. Please please please give us this new feature that allows exclusions on specific powershell scripts.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2019 01:28 PM
Radek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2020 10:41 AM
Can you elaborate? Where/how can we exclude by IOC?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2021 10:39 AM
What is the feature request number? Roadmap timing for this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2021 02:22 AM
Hello,
this Feature Request is an internal one, and not public viewable. You may get in touch with your Cisco representative to get more insights into upcoming features in the product.
As the roadmap can always get updated, we do not publish this information in the community.
Greetings,
Thorsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2022 05:52 AM
I saw the feature request was going in in 2019, any update on it?
