Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11338
Views
25
Helpful
21
Replies

exclude/whiteliste certain powershell commands

Go to solution
thomas.methlie
Level 1
Level 1

‎10-11-2019 01:31 AM - edited ‎02-20-2020 09:11 PM

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case. 

 

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

 

Regards,

Thomas

8 people had this problem
Labels:
0 Helpful
21 Replies 21

Go to solution
Ken Stieers
VIP
VIP
In response to Davedog

‎10-18-2022 06:25 AM

They know its an issue, it was talked about at a CAB/Forum I was at recently. I feel like its "coming soon", but honestly can't remember if there was a date or version mentioned...

But they know it creates false positives and know that's an issue.

Ken
0 Helpful

Go to solution
SebastianF
Level 1
Level 1
In response to Troja007

‎03-17-2022 05:49 AM

Hi,

is there any new information on this feature request? 
Has this already been implemented?

Thanks for response

0 Helpful

Go to solution
MichaelErana
Level 1
Level 1

‎10-12-2022 05:08 AM

Ping on this topic. I'm also looking for a way to use command parameter content to form an exclusion. In my case the offending command is:

C:\WINDOWS\system32\cmd.exe /d /c C:\Program Files (x86)\ThousandEyes\Endpoint Agent\te-chromehelper.exe chrome-extension://obdencanbejmhpbikpcgkdflkffifoof/ --parent-window=0 < \\.\pipe\LOCAL\edge.nativeMessaging.in.43b0764b69528ed5 > \\.\pipe\LOCAL\edge.nativeMessaging.out.43b0764b69528ed5

I'd love to be able to wildcard and use the "ThousandEyes" portion of the command parameter for the exclusion.

 

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to MichaelErana

‎10-12-2022 05:30 AM

Hello @MichaelErana ,
feature is under development. You may ping your Cisco representative for more details. We do not share Roadmap information here in the community. 
Thanks and Greetings,
Thorsten

Go to solution
sdawson14
Level 1
Level 1

‎09-27-2023 02:55 AM

Hey, we don't have a cisco rep but this feature request has been open since 2019, any news on when it's actually going to be released? I can make these exclusions in every other product apart from AMP and it's causing a lot of noise. Does it really take almost 4 years to develop this feature? 

0 Helpful

Go to solution
mcolford
Level 1
Level 1

‎06-27-2024 05:24 AM

Any update on this feature? Experiencing the same problem.

0 Helpful

Go to solution
dstaudt
Cisco Employee
Cisco Employee
In response to mcolford

‎06-27-2024 09:51 AM

From what I can tell, you can create an exclusion for the suspect behaviour, e.g.:

dstaudt_0-1719506558141.png

However, I don't see a way to qualify that further by specific command line parameters given to the process.
Some thoughts:
* Would it be enough to create an exclusion for the specific admin user/group?  I.e. powershell+dstaudt is excluded?
* Perhaps automation could be written to use the AMP APIs to apply a generic exclusion (e.g. the IOC exclusion pictured above), then remove it once the admin's work is done?
* Find some way to localize the needed functionality into a specific executable that only the designated admin/group can run, maybe copy powershell executable to a new file in a different path that can be excluded?  Create an executable - in Python/C#/compiled PS - that does only the thing needed, and exclude that?

0 Helpful
Customers Also Viewed These Support Documents