cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

457
Views
0
Helpful
3
Replies
simon.fuller
Beginner

When I build a new .exe CISCO Secure Endpoint quarantines the new .exe

I'm a developer, when I compile/link a new programs (.exe) using Visual Studio, the new .exe is built, but CISCO Secure Endpoint quarantines (deletes) the new .exe
What do I have to ask my IT department to do to allow me to build new .exe files for my work?
Maybe I should just remove CISCO Secure Endpoint if it can't allow developers to do their work.
But then IT might have find another application to do security.
I think whitelisting is a vitally important security feature, but I don't think the authors of CISCO Secure Endpoint have really thought through the implementation for developers.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Brian Sak
Cisco Employee

This behavior is unexpected.  Unless it detects the newly create executable as a threat, it shouldn't quarantine it.  In your AMP for Endpoints Connector there should be a log that shows why a specific file was deleted/quarantined.  If it's misclassifying your new executable, you can have your IT department omit specific directories that you can then use to create and build your new apps.

View solution in original post

Agreed, this seems like a false positive.  The administrator of your AMP installation can either put in an exemption for that particular threat or they can exempt your working directory altogether.  More details can be found here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html

View solution in original post

3 REPLIES 3
Brian Sak
Cisco Employee

This behavior is unexpected.  Unless it detects the newly create executable as a threat, it shouldn't quarantine it.  In your AMP for Endpoints Connector there should be a log that shows why a specific file was deleted/quarantined.  If it's misclassifying your new executable, you can have your IT department omit specific directories that you can then use to create and build your new apps.

simon.fuller
Beginner

Hi Brian,
The CISCO Secure Endpoint logs indicate:
Detection Name: Gen:Variant.Bulz.372626
File Path:
Installed By: C:\Program Files(x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Roslyn\VBCSCompiler.exe
It's a simple command line program that writes a text argument to a log file.
WhiteListing is a really important security feature, but it has to allow programmers to create new programs.
Most IT support staff, don't every write their own programs, so they don't really understand how new programs get made. (Hint: They don't grow by themselves on a Cloud farm)

[cid:image001.png@01D82D79.6E114D30]
Si

Agreed, this seems like a false positive.  The administrator of your AMP installation can either put in an exemption for that particular threat or they can exempt your working directory altogether.  More details can be found here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html

Create
Recognize Your Peers