Re: Whitelist file that has a dynamic SHA name

itguy1024 · ‎09-13-2021

Hello,

We have a .lnk file being pushed out by GPO that AMP has been blocking. AMP has been flagging it as Heur.BZC.ONG.Boxter.331.47822C71 and quarantining it.
I have been whitelisting it but noticed that in AMP the .lnk file has a different SHA name each time it gets quarantined. I'm guessing that's why it keeps getting blocked.
I did select the actual file .lnk file name and add to whitelist but assuming it's the same issue with the SHA names.

Is there any other way to add a file to the whitelist that doesn't look at the SHA names?

Wojciech Cecot · ‎09-14-2021

Hello,

Based on the detection name, files in question are detected by TETRA engine (signature based engine, like traditional AVs) - to confirm that, you can check details in Device Trajectory - it should display which engine was involved. Please refer to example from my lab:

The best way to address that -> open ticket with Talos and provide sample + engine that detected file under https://talosintelligence.com/tickets

Once they will review the file and confirm it is False Positive, all files with the same file properties should not be detected by Secure Endpoint anymore.

-Wojciech

itguy1024 · ‎09-14-2021

It was detected by Tetra. I opened a ticket but it was asking for the SHA name, which is dynamic. So we'll see what happens.

itguy1024 · ‎09-16-2021

Update: Talos closed my case and marked it as no change. They stated that AMP is not blocking the file and I should open a TAC case. This is odd because I can watch AMP quarantine the file in real time when I try to deploy it.
I guess I'll see what TAC says.