01-29-2016 09:26 AM - edited 02-20-2020 09:00 PM
I have a question about blocking an executable by our defined Application Blocking rule/list. If I have a file called UpdateTask.exe and it is located in a user profile \.....\.....; will it black the application at is file location or will it block any executable that has the name UpdateTask.exe? I ask because this issue can exist with the uninstall.exe files as well. I do not want to add this exe to the block list if it includes all of them as opposed to the ones located in the file path. Basically, just in case I am not clear, I do not want to block a legitimate updatetask.exe or uninstall.exe file, I only want to block those that are associated with malicious application's path. I hope I am being clear enough, if not, please ask and I will try to word it better.
02-06-2017 07:19 AM
Please refer to the below url for User Guide.
http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPUserGuide.pdf
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.pdf
Hope to help.
02-06-2017 11:09 AM
So in reference to your articles you have pointed me to, you are relying on no collisions in SHA-256 from one you mark as malware and one that may be safe from a legitimate application. I already read these prior to my question and I was hoping for a little more insight, if there is any, on how AMP for EP may be able to distinguish between these possible issues even if they are negligible at best/worst. :) Thanks for your reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide