Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2829
Views
0
Helpful
3
Replies

When I build a new .exe CISCO Secure Endpoint quarantines the new .exe

Go to solution
simon.fuller
Level 1
Level 1

‎02-20-2022 09:54 PM

I'm a developer, when I compile/link a new programs (.exe) using Visual Studio, the new .exe is built, but CISCO Secure Endpoint quarantines (deletes) the new .exe
What do I have to ask my IT department to do to allow me to build new .exe files for my work?
Maybe I should just remove CISCO Secure Endpoint if it can't allow developers to do their work.
But then IT might have find another application to do security.
I think whitelisting is a vitally important security feature, but I don't think the authors of CISCO Secure Endpoint have really thought through the implementation for developers.

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Brian Sak
Cisco Employee
Cisco Employee

‎02-28-2022 07:27 PM

This behavior is unexpected.  Unless it detects the newly create executable as a threat, it shouldn't quarantine it.  In your AMP for Endpoints Connector there should be a log that shows why a specific file was deleted/quarantined.  If it's misclassifying your new executable, you can have your IT department omit specific directories that you can then use to create and build your new apps.

View solution in original post

0 Helpful

Go to solution
Brian Sak
Cisco Employee
Cisco Employee
In response to simon.fuller

‎03-01-2022 06:03 AM

Agreed, this seems like a false positive.  The administrator of your AMP installation can either put in an exemption for that particular threat or they can exempt your working directory altogether.  More details can be found here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Brian Sak
Cisco Employee
Cisco Employee

‎02-28-2022 07:27 PM

This behavior is unexpected.  Unless it detects the newly create executable as a threat, it shouldn't quarantine it.  In your AMP for Endpoints Connector there should be a log that shows why a specific file was deleted/quarantined.  If it's misclassifying your new executable, you can have your IT department omit specific directories that you can then use to create and build your new apps.

0 Helpful

Go to solution
simon.fuller
Level 1
Level 1

‎02-28-2022 07:39 PM

Hi Brian,
The CISCO Secure Endpoint logs indicate:
Detection Name: Gen:Variant.Bulz.372626
File Path:
Installed By: C:\Program Files(x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Roslyn\VBCSCompiler.exe
It's a simple command line program that writes a text argument to a log file.
WhiteListing is a really important security feature, but it has to allow programmers to create new programs.
Most IT support staff, don't every write their own programs, so they don't really understand how new programs get made. (Hint: They don't grow by themselves on a Cloud farm)

[cid:image001.png@01D82D79.6E114D30]
Si
0 Helpful

Go to solution
Brian Sak
Cisco Employee
Cisco Employee
In response to simon.fuller

‎03-01-2022 06:03 AM

Agreed, this seems like a false positive.  The administrator of your AMP installation can either put in an exemption for that particular threat or they can exempt your working directory altogether.  More details can be found here: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html

0 Helpful
Customers Also Viewed These Support Documents