Cisco Secure Endpoint (AMP) - Creating Exclusions & Allowed Applications
Note: Creating and editing exclusions requires access to the Secure Endpoint console. Secure Endpoint console access is reserved for campus information technology administrators and not campus end users. If you are interested in deploying Secure Endpoint and are not an IT administrator, contact cybersecurity@cio.wisc.edu to learn about your options.
The Secure Endpoint Console allows the manager of a group to create Exclusions and Allow Lists to help reduce false positives.
Exclusion Types
Exclusions tell Secure Endpoint not to scan, flag, or convict activity originating from certain directories, file extensions, or threat names, to name a few. These can be used to resolve conflicts with other security products or mitigate performance issues by excluding directories containing large files that are frequently written to (such as databases).
Within the Secure Endpoint console there are two categories of exclusions: Cisco-Maintained and Custom. This KB's purpose is to provide assistance with Custom exclusions. Cisco-Maintained exclusions are created and maintained only by Cisco, should you wish to add any of their exclusions to your policies, please contact cybersecurity@cio.wisc.edu.
Additional exclusion resources:
See Cisco's Best Practices for AMP Exclusions and Configuring and Managing Exclusions in Secure Endpoint documents for more information regarding creating exclusions, exclusion formatting, and finding files to exclude.
Custom Exclusion Types Available:
Threat: Threat exclusion let you exclude a particular threat name from triggering events. You should only ever use a Threat exclusion if you are certain that the events are the result of a false-positive detection. In that case, use the exact threat name from the event as your Threat exclusion.
Example: W32.Zombies.NotAVirus
Path: Path exclusions are the most frequently used, as application conflicts usually involve excluding a directory you do not wish to be scanned. These exclusions can be especially helpful in reducing Secure Endpoint's CPU load when paired with Process - File Scan exclusions. You can create a path exclusion using an absolute path or the CSIDL. You cannot use wildcards or variables such as %windir% with CSIDLs, and CSIDLs are case sensitive.
Example: CSIDL_PROGRAM_FILES\MyAntivirusAppDirectory
File Extension: File extension exclusions allow you to exclude all files with a certain extension. For example, you might want to exclude all Microsoft Access database files by creating the following exclusion: .mdb
Wildcard: Wildcard exclusions are the same as path or extension exclusions except that you can use an asterisk(*) character as a wild card. Do NOT begin an exclusion with a wildcard, this will degrade performance greatly. Instead, use the "Apply to all drive letters" checkbox.
Example: C:\*\BigFix Enterprise\BES Client\BESClient.exe
Executable (Windows Only): Executable exclusions exclude certain executables from being protected by Exploit Prevention. It is recommended to use and executable exclusion only when you are experiencing problems or performance issues. This exclusion type is case sensitive, the name must match the executable exactly, wildcards are not supported.
IOC (Windows Only): IOC exclusions allow you to exclude Cloud Indications of Compromise. This can be useful if you have a custom or internal application that may not be signed and frequently alerts IOCs. Only exclude IOCs if you experience a large number of false-positive detection's for it. The console provides a list of indicators allowing you to select which to exclude via dropdown.
Process - File Scan (Windows Only): Process - File Scan exclusions stop Secure Endpoint from scanning a specific process and all the files it writes and modifies. This can be an incredibly useful tool for reducing Secure Endpoint's CPU load on machines in your environment, especially if you know of benign programs Secure Endpoint is scanning that don't need to be scanned. Programs that benefit the most from this exclusion are generally high Input/Output processes, like endpoint management software (BigFix). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Process - Malicious Activity (Windows Only): Process - Malicious Activity exclusions stop Secure Endpoint from interfering with a program that triggers Secure Endpoint's "Malicious Activity" conviction mode. This is normally applicable to programs that perform encryption and/or might look like ransomware according to Secure Endpoint's heuristics. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Process - System Process (Windows Only): Process - System Process exclusions stop Secure Endpoint from interfering with a specific program that triggers Secure Endpoint's "System Process Protection" conviction mode. This is normally applicable to programs that interact with critical Windows processes and may appear to be interfering or injecting malicious/unwanted code according to Secure Endpoint's heuristics. For example, Spirion (Identity Finder), can sometimes trigger System Process Protection alerts, despite being a benign process. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Process - Behavioral Protection (Windows Only): Process - Behavioral Protection exclusions stop Secure Endpoint from interfering with specific processes that trigger Secure Endpoint's "Behavioral Protection" conviction mode. This is normally applicable to programs that make registry entries or run commands that are commonly associated with "lay of the land" attacks (attacks using pre-existing tools like Powershell rather than actual malware). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
How to add Exclusions
Adding exclusions to an existing exclusion set:
- Log into the Secure Endpoint console, click on Management from the left sidebar and select Exclusions.
- Select the exclusion set you wish to edit, click it to expand, and click Edit
- To add a new exclusion to the exclusion set, select the Add Exclusion button.
- A new blank exclusion line should appear in the set. Choose the exclusion type from the dropdown that appears. For types please see the Exclusion Types section of this KB.
- Enter your exclusion into the blank exclusion window and click save to save any changes.
- Your exclusion has now been added to the Exclusion Set. We recommend monitoring for alerts related to exclusions to ensure that the exclusion was entered properly.
Adding more than one exclusion at a time:
- To add more than one exclusion to the set, you can use the Add Multiple Exclusions button.
- Enter a list of exclusions into the pop-up window, and Secure Endpoint will automatically identify the exclusion type (when possible) and add them to the exclusion set. This allows you to add multiple types at a time.
- Click the Add Exclusions button, double check Cisco's Identification work, and click save to save your work.
- Your exclusions have now been added to the Exclusion Set. We recommend monitoring for alerts related to exclusions to ensure that the exclusion was entered properly.
Creating a new exclusion set:
- Log into the Secure Endpoint console, click on Management from the left sidebar and select Exclusions.
- Click the New Exclusion Set button, set the Operating System on the pop-up that appears, and click Create.
- Name the exclusion set, ensuring that the first 5 characters correspond with your departmental UDDS.
Example: A0000-Department-Exclusion-Windows - You will need to add at least one exclusion to finalize the creation process.
- Select Save to create the exclusion set. Once you create a new exclusion set you will need to apply it to a policy for it to be used by Secure Endpoint. Please see the next sub-segment for how to apply an exclusion set to a policy.
Applying an exclusion set to a policy:
- Log into the Secure Endpoint Console, click on Management from the left sidebar, and select Policies.
- Select the policy you want to add the exclusion to and click the Edit button.
- Click the Exclusions side tab, click the Custom Exclusions dropdown and select your exclusion from the list.
- Click the Save button to save your changes.
Additional exclusion resources:
See Cisco's Best Practices for AMP Exclusions and Configuring and Managing Exclusions in Secure Endpoint documents for more information regarding creating exclusions, exclusion formatting, and finding files to exclude.
Allowed Applications (Greenlists)
Allowed Applications (Greenlists) are used to stop Secure Endpoint from quarantining a specific file. Allow listing can be useful if Secure Endpoint incorrectly flags and quarantines a benign file. Please note: upon ANY change to the specific file added to an allow list, the SHA-256 of the file will change and subsequently need to be updated within the Allow List to continue excluding.
Allow listing files directly from the events tab:
It is possible to allow list an item from the Analysis module in Secure Endpoint. If a file that you know to be safe frequently appears as suspicious or malicious in the events tab, this is a good candidate for allow listing. To allow list using this method, do the following:
- Log into the Secure Endpoint console, click on Events in the left sidebar
- Use the filter or scroll to identify an unwanted threat notice for an application or file (example: Bigfix endpoint client action flagged as malicious activity), and click on the event to reveal more detailed information
- In the event dropdown, there should be information regarding the file's SHA-256 value. Right click the SHA-256 hash value, hover your mouse over Outbreak Control, then Allowed Applications, and select your UDDS' Allowed Applications list from the extended dropdown that appears. A checkmark should appear beside the Allowed List to confirm that the file has been allowed.
Allow listing files from outbreak control
- Log into the Secure Endpoint console, click on Outbreak Control in the left sidebar, and select Allowed Applications
- Click the Edit button on the Allow List you'd like to add to.
- From here there are three options to add an item to an Allow List: Add SHA-256, Upload File, or Upload A Set of SHA-256s. See below for the steps required for each method:
- Add SHA-256
- Obtain the SHA-256 value of the file you'd like to allow.
- Paste the SHA-256 value under the Add SHA-256 option in the Edit Allowed Applications sidebar.
- Should you wish, you may add a note to the Note text box so that you can identify the reason for allowing in the future.
- Select the Add button to add the SHA-256 to the allow list.
- Upload File
- Obtain a copy of the file you'd like to add to the allow list.
Note: The file size must be less than 20MB for Secure Endpoint to accept the file. - Under the Upload File option, click the Browse button, select the file, and select the Open button.
- Should you wish, you may add a note to the Note text box so that you can identify the reason for allowing in the future.
- Select the Upload button to finish the upload process. If the upload is successful there should be a banner at the top of the console confirming the upload.
- Obtain a copy of the file you'd like to add to the allow list.
- Upload Set of SHA-256s
- Create a blank text document, and input the SHA-256 hashes for files you wish to allow to the document. Make sure there is one hash per line by returning after inputting each hash, and ensure that there are no additional characters (only SHA values). Save the file.
- Under the Upload Set of SHA-256s option, click the Browse button, select the text file you created, and select the Open button.
- Should you wish, you may add a note to the Note text box so that you can identify the reason for allowing in the future.
- Select the Upload button to finish the upload process. If the upload is successful there should be a banner at the top of the console confirming the upload. If the upload is unsuccessful, the text file is likely not formatted properly. Repeat the above steps and try again.
- Create a blank text document, and input the SHA-256 hashes for files you wish to allow to the document. Make sure there is one hash per line by returning after inputting each hash, and ensure that there are no additional characters (only SHA values). Save the file.
- Add SHA-256