cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1043
Views
5
Helpful
3
Replies
itguy1024
Beginner

Whitelist file that has a dynamic SHA name

Hello,

 

We have a .lnk file being pushed out by GPO that AMP has been blocking. AMP has been flagging it as Heur.BZC.ONG.Boxter.331.47822C71 and quarantining it.
I have been whitelisting it but noticed that in AMP the .lnk file has a different SHA name each time it gets quarantined. I'm guessing that's why it keeps getting blocked.
I did select the actual file .lnk file name and add to whitelist but assuming it's the same issue with the SHA names.

Is there any other way to add a file to the whitelist that doesn't look at the SHA names?

3 REPLIES 3
Wojciech Cecot
Cisco Employee

Hello,

Based on the detection name, files in question are detected by TETRA engine (signature based engine, like traditional AVs) - to confirm that, you can check details in Device Trajectory - it should display which engine was involved. Please refer to example from my lab:

Screenshot 2021-09-14 at 13.10.41.png

The best way to address that -> open ticket with Talos and provide sample + engine that detected file under https://talosintelligence.com/tickets

Once they will review the file and confirm it is False Positive, all files with the same file properties should not be detected by Secure Endpoint anymore.

-Wojciech

It was detected by Tetra. I opened a ticket but it was asking for the SHA name, which is dynamic. So we'll see what happens.

itguy1024
Beginner

Update: Talos closed my case and marked it as no change. They stated that AMP is not blocking the file and I should open a TAC case. This is odd because I can watch AMP quarantine the file in real time when I try to deploy it.
I guess I'll see what TAC says.

Create
Recognize Your Peers
Content for Community-Ad