Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
1
Replies

Reverse AMP File Conviction

ITGuyCSI25
Level 1
Level 1

‎05-21-2021 08:31 AM

Hey People,

 

My Engineering department makes custom applications, and uses GIT sources for applications. Most of the time they're doing things as will, and AMP is convicting these applications as Malicious before I can whitelist the applications. How can i reverse the convictions? Adding the applications to the application allowed list doesn't stop the AMP from blocking them and quarantining the applications.

 

Any help would be appreciated, thanks.

Labels:
0 Helpful
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee

‎06-03-2021 02:06 AM

Hello,

 

You might need to check on the event details to see which engine (such as MAP or Exprev etc.) is blocking the application.

You can try and make any of the below methods to avoid any conviction for the files:

 

  • Scan Exclusions: Files/Path is not scanned, not hashed - related to any engine doing file scanning. 
  • Process Exclusion: Anything done by a running process is not scanned. 
  • Application Whitelisting: has an impact on two things
    • Behavioral Engines (e.g. Machine Learning) exclude the hash
    • The connector does no cloud lookup for the hash
  • Engine specific process exclusions: The exclusion works for a specific engine

 

I hope the above helps.

 

Cheers,

Pratham

0 Helpful
Customers Also Viewed These Support Documents