cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1952
Views
0
Helpful
6
Replies
Marius Gunnerud
VIP Advisor

Issues excluding a custom application from being scanned

As the title  says, I am having problems excluding a custom application from being scanned.  I have added the file path with a wild card (*) as well as the .exe file location (just for testing) without success.  Once the application is installed it is scanned and some components deleted.  the install location is under "Users" and not Program Files.  I am starting to think that it is installing some files elsewhere as well.

C:\Users\*\Mapis Data Input Tool

Any ideas what might be going wrong? is my syntax incorrect for the exclusion? or perhaps I should be placing this under Path instead of Wildcard?

--
Please remember to select a correct answer and rate helpful posts
6 REPLIES 6
aledipas
Cisco Employee

The exclusion looks like a valid wildcard. Be sure that your endpoint policy has actually updated and has the exclusion you have added to your list (you can check this under the settings in the UI).

If you have any detection events you will want to compare those against you exclusion to be sure that multiple paths aren't in use.

Thanks

george.seah
Beginner

Hello Marius,

For application whitelisting, it will be better if you define under Outbreak Control > Application Control - Whitelisting. Upload the application file into the Cloud Console or you may add the SHA-256 value manually for file exclusion.

Thank you for your replies and suggestions.  I wont be able to test any of this until Monday, but will get back to you then with an update.

--
Please remember to select a correct answer and rate helpful posts

I tried adding the SHA value under application control whitelisting but did not work.  what happens is that I install the program via a .exe file and then once installed and I try to run it, it gets blocked.

I hope to get some more time tomorrow to test possible solutions.

--
Please remember to select a correct answer and rate helpful posts

Marius,

Were you able to perform additional testing and check the detection events as Alex suggested?  

Thanks,

-Matt

I have not yet had time to check the detection events.  I have however added the two sha values that were shown as blocked to whitelist. without any success.

I have been swamped with other cases which have taken priority over this so I will be coming back to this once the load lightens.

--
Please remember to select a correct answer and rate helpful posts
Create
Recognize Your Peers
Content for Community-Ad