05-03-2018 05:53 AM - edited 03-08-2019 05:47 PM
The most consistent false positive i get in amp for endpoints is .tmp files from outlook. here is an example below. I'd like to be able to create some kind of exclusion to ignore this type of event. My thought was to make a process exclusion for outlook, but i'm not sure how much that opens me up to ignoring actual malware events. If a user has a malicious attachment in an email and opens it, the activation would be associated with some other process other than outlook, correct?
Thanks in advance
Detected Doc.
Created by OUTLOOK.
The file was not quarantined. Quarantined event missing.
File full path: C:\
Parent file age: 10 seconds.
Parent process id: 7296.
Parent process SID: S-1-5-21-3884477466-3354684103-1223720769-17275.
Detected by the SHA engines.