Cisco Secure Endpoint (AMP) - Creating Exclusions & Allowed Applications

This article documents the Exclusion and Allow Listing processes within the Secure Endpoint (AMP) console, as well as detailing some typically used exclusions for Windows and Mac.


Note: Creating and editing exclusions requires access to the Secure Endpoint console. Secure Endpoint console access is reserved for campus information technology administrators and not campus end users. If you are interested in deploying Secure Endpoint and are not an IT administrator, contact cybersecurity@cio.wisc.edu to learn about your options.

The Secure Endpoint Console allows the manager of a group to create Exclusions and Allow Lists to help reduce false positives.

  • Exclusions:

    • Exclusions tell Secure Endpoint not to scan, flag, or convict activity originating from certain directories, file extensions, or threat names. These can be used to resolve conflicts with other security products or mitigate performance issues by excluding directories containing large files that are frequently written to (such as databases).

      • Exclusion Types Available:

      • Threat: Threat exclusions let you exclude a particular threat name from triggering events. You should only ever use a Threat exclusion if you are certain that the events are the result of a false-positive detection. In that case, use the exact threat name from the event as your Threat exclusion.
        Example: W32.Zombies.NotAVirus

      • Path: Path exclusions are the most frequently used, as application conflicts usually involve excluding a directory you do not wish to be scanned. These exclusions can be especially helpful in reducing Secure Endpoint's CPU load when paired with Process - File Scan exclusions. You can create a path exclusion using an absolute path or the CSIDL. You cannot use wildcards or variables such as %windir% with CSIDLs, and CSIDLs are case sensitive.
        Example: CSIDL_PROGRAM_FILES\MyAntivirusAppDirectory
        _Path_exclusion.png

      • Wildcard: Wildcard exclusions are the same as path or extension exclusions except that you can use an asterisk character as a wild card.  Do NOT begin an exclusion with a wildcard, this will degrade performance greatly.  Instead, use the "Apply to all drive letters" checkbox
        Example: C:\*\BigFix Enterprise\BES Client\BESClient.exe
        Applytodriveletters

      • File Extension: File extension exclusions allow you to exclude all files with a certain extension. For example, you might want to exclude all Microsoft Access database files by creating the following exclusion: .mdb
        FileExtension1.png

      • Process - File Scan (Windows only): Process - File Scan exclusions stop Secure Endpoint from scanning a specific process and all the files it writes and modifies. This can be an incredibly useful tool for reducing Secure Endpoint's CPU load on machines in your environment, especially if you know of benign programs Secure Endpoint is scanning that don't need to be scanned. Programs that benefit the most from this exclusion are generally high Input/Output processes, like endpoint management software (Bigfix). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _File_Scan_Process.png

      • Process - Malicious Activity (Windows only): Process - Malicious Activity exclusions stop Secure Endpoint from interfering with a program that triggers Secure Endpoint's "Malicious Activity" conviction mode. This is normally applicable to programs that perform encryption and/or might look like ransomware according to Secure Endpoint's heuristics. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _Malicious_Activity.png

      • Process - System Process (Windows only): Process - System Process exclusions stop Secure Endpoint from interfering with a specific program that triggers Secure Endpoint's "System Process Protection" conviction mode. This is normally applicable to programs that interact with critical Windows processes and may appear to be interfering or injecting malicious/unwanted code according to Secure Endpoint's heuristics. For example, Spirion (Identity Finder), can sometimes trigger System Process Protection alerts, despite being a benign process. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _System_Process_Exclusion.png

      • Process - Behavioral Protection (Windows only): Process - Behavioral Protection exclusions stop Secure Endpoint from interfering with specific processes that trigger Secure Endpoint's "Behavioral Protection" conviction mode. This is normally applicable to programs that make registry entries or run commands that are commonly associated with "lay of the land" attacks (attacks using pre-existing tools like Powershell rather than actual malware). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _Behavioral_Process.png

      • Adding exclusions to an existing exclusion set:

      • Log in to the Secure Endpoint console, click the Management dropdown, and select Exclusions.
        ExclusionSC1.png

      • Select the exclusion set you wish to edit, click it to expand it, and click Edit.
        ExclusionSC2.png

      • To add a new exclusion to the exclusion set, select the Add Exclusion button.

      • A new, blank exclusion line should appear in the set. Choose the exclusion type from the dropdown that appears. The types are as follows:

      • Threat: Threat exclusions let you exclude a particular threat name from triggering events. You should only ever use a Threat exclusion if you are certain that the events are the result of a false-positive detection. In that case, use the exact threat name from the event as your Threat exclusion.
        Example: W32.Zombies.NotAVirus

      • Path: Path exclusions are the most frequently used, as application conflicts usually involve excluding a directory you do not wish to be scanned. These exclusions can be especially helpful in reducing Secure Endpoint's CPU load when paired with Process - File Scan exclusions. You can create a path exclusion using an absolute path or the CSIDL. You cannot use wildcards or variables such as %windir% with CSIDLs, and CSIDLs are case sensitive.
        Example: CSIDL_PROGRAM_FILES\MyAntivirusAppDirectory
        _Path_exclusion.png

      • Wildcard: Wildcard exclusions are the same as path or extension exclusions except that you can use an asterisk character as a wild card.
        Example: /Users/*/Documents/Virtual Machines/
        _Wildcard.png
         
      • File Extension: File extension exclusions allow you to exclude all files with a certain extension. For example, you might want to exclude all Microsoft Access database files by creating the following exclusion: .mdb
        FileExtension1.png

      • Process - File Scan: Process - File Scan exclusions stop Secure Endpoint from scanning a specific process and all the files it writes and modifies. This can be an incredibly useful tool for reducing Secure Endpoint's CPU load on machines in your environment, especially if you know of benign programs Secure Endpoint is scanning that don't need to be scanned. Programs that benefit the most from this exclusion are generally high Input/Output processes, like endpoint management software (Bigfix). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _File_Scan_Process.png

      • Process - Malicious Activity: Process - Malicious Activity exclusions stop Secure Endpoint from interfering with a program that triggers Secure Endpoint's "Malicious Activity" conviction mode. This is normally applicable to programs that perform encryption and/or might look like ransomware according to Secure Endpoint's heuristics. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _Malicious_Activity.png

      • Process - System Process: Process - System Process exclusions stop Secure Endpoint from interfering with a specific program that triggers Secure Endpoint's "System Process Protection" conviction mode. This is normally applicable to programs that interact with critical Windows processes and may appear to be interfering or injecting malicious/unwanted code according to Secure Endpoint's heuristics. For example, Spirion (Identity Finder), can sometimes trigger System Process Protection alerts, despite being a benign process. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _System_Process_Exclusion.png

      • Process - Behavioral Protection: Process - Behavioral Protection exclusions stop Secure Endpoint from interfering with specific processes that trigger Secure Endpoint's "Behavioral Protection" conviction mode. This is normally applicable to programs that make registry entries or run commands that are commonly associated with "lay of the land" attacks (attacks using pre-existing tools like Powershell rather than actual malware). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
        _Behavioral_Process.png

      • Enter the exclusion into the blank exclusion window. For Process exclusions, it is required to specify the exact path for the executable file.
        ExclusionSC2.png

      • If you intend to add more than one exclusion to the set, you can use the Add Multiple Exclusions button. Enter a list of exclusions into the window that appears, and Secure Endpoint will automatically identify the exclusion type (there can be a mix of all types) and add them to the exclusion set.
        ExclusionSC4.png

      • Click the Save button to save changes made to the Exclusion Set.
        ExclusionSC5.png

      • The exclusions have now been added to the Exclusion Set. We recommend monitoring for alerts related to exclusions to ensure that the exclusion was entered properly.

      • Creating a new exclusion set:

      • Log in to the Secure Endpoint console, click the Management dropdown, and select Exclusions.
        ExclusionSC1.png

      • Click the New Exclusion Set button, set the Operating System on the pop-up that appears, and click Create.
        ExclusionSC6.png
        ExclusionSC7.png

      • Name the exclusion set, ensuring that the first 5 characters correspond with your departmental UDDS.
        Example: A0000-EPHI-Test-Exclusion-Windows
        ExclusionSC8.png

      • You will need to add at least one exclusion to finalize the creation process.

      • Select Save to create the exclusion set.

      • Applying an exclusion set to a policy:

      • Log in to the Secure Endpoint Console, click the Management tab, and select the Policies dropdown
        ExclusionSC9.png

      • Select the policy you want to add the exclusion to and click the Edit button.
        ExclusionSC10.png

      • Click the Exclusions side tab, click the Custom Exclusions dropdown and select your exclusion from the list.
        ExclusionSC12.png

      • Click the Save button to save your changes.

  • Allowed Applications:

    • Allowed Application lists are used to stop Secure Endpoint from quarantining a specific file. Allow listing can be useful if Secure Endpoint incorrectly flags and quarantines a benign file.

      • Allow listing files directly from the events tab:

        • It is possible to allow list an item from the Analysis module in Secure Endpoint. If a file that you know to be safe frequently appears as suspicious or malicious in the events tab, this is a good candidate for allow listing. To allow list using this method, do the following:

        • Log in to the Secure Endpoint console, click the Analysis dropdown, and select Events.
          WhiteSC1.png

        • Use the filter or scroll to identify an unwanted threat notice for an application or file (example: Bigfix endpoint client action flagged as malicious activity), and click on the event to reveal more detailed information.
          WhiteSC2.png

        • In the event dropdown, there should be information regarding the file's SHA-256 value. Right click the SHA-256 hash value, hover your mouse over Outbreak Control, then Allowed Applications and select your UDDS' Allowed Applications list from the extended dropdown that appears. A checkmark should appear beside the Allowed List to confirm that the file has been allowed.
          ScreenShot2020-03-09at1.57.26PM.png

      • Allow listing using SHA-256 hashes or by uploading a file:

        If you have a list of SHA-256 hashes you'd like to allow, or you have a file you want to upload for allow listing, do the following:

      • Log in to the Secure Endpoint console, click the Outbreak Control dropdown, and select Allowed Applications.
        WhiteSC5.png

      • Click the Edit button on the Allow List you'd like to add to.
        WhiteSC6.png

      • There are three options to add an item to the allow list, Add SHA-256, Upload File, and Upload Set of SHA-256s. See below for the steps required for each method:

        • Using the Upload a Set of SHA-256s method:
        • Create a blank text document, and input the SHA-256 hashes for files you wish to allow to the document. Make sure there is one hash per line by returning after inputting each hash, and ensure that there are no additional characters (only SHA values). Save the file.
          WhiteSC8.png

        • Under the Upload Set of SHA-256s option, click the Browse button, select the text file you created, and select the blue Open button.
          WhiteSC9.png

        • Add a note to the Note text box so that you can identify the purpose these hashes serve in the future.
        • Select the Upload button to finish the upload process. If the upload is successful there should be a blue banner at the top of the console confirming the upload. If the upload is unsuccessful, the text file is likely not formatted properly. Repeat the above steps and try again.

        • Using the Upload a File method:
        • Obtain a copy of the file you'd like to allow list.
          Note:The file size must be less than 20MB for Secure Endpoint to accept the file.
        • Under the Upload File option, click the Browse button, select the file, and select the blue Open button.
        • WhiteSC10.png
        • Add a note to the Note text box so that you can identify the reason for allowing in the future.
        • Select the Upload button to finish the upload process. If the upload is successful there should be a blue banner at the top of the console confirming the upload.

        • Using the Add SHA-256 method:
        • Obtain the SHA-256 value of the file you'd like to allow.
        • Paste the SHA-256 value under the Add SHA-256 option in the Edit Allowed Applications sidebar.
          WhiteSC7.png
        • Add a note to the Note text box so that you can identify the reason for allowing in the future.
        • Select the Add button to add the SHA-256 to the allow list.


Keywordswhite list whitelist greenlist cisco amp recommended file paths path filepath Mac Windows Linux white list applications amp false positives green list allow list secure endpoint exceptions   Doc ID89648
OwnerRachel L.GroupCybersecurity
Created2019-02-11 17:55:31Updated2023-10-19 13:03:09
SitesCybersecurity Operations Center, DoIT Help Desk, Office of Cybersecurity
Feedback  0   0