topic Re: best way to add folders to malware whitelist in General Topics

best way to add folders to malware whitelist

jeperjes — Thu, 27 Oct 2022 13:24:19 GMT

having read the document "Add a New Malware Security Profile", I am not clear as to best and properly entering a path to a folder properly.

this is a paragraph pulled out of the of the webpage.

+Add a file or folder.
Enter the path and press Enter or click the check mark when done. You can also use a wildcard to match files and folders containing a partial name. Use ? to match a single character or * to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example, c:\temp\*).

My question and concerns are should all paths end with an asterisk (*)?

So this is how i am adding paths into the whitelist.

Is this correct the way or the wrong way to add this path C:\WINDOWS\SYSVOL\staging\? OR should it have an * at end.

C:\WINDOWS\System32\DNS\*.dns OR should it be *\*.dns

C:\Program Files\Microsoft SQL Server\*\Shared\SQLDumper.exe OR should it be *.\sqldumper.exe or does it not matter?

What is the appropriate way to enter files and folders into the malware list.

This C:\Users\*\AppData\Local\Microsoft\OneDrive\ OR that C:\Users\*\AppData\Local\Microsoft\OneDrive\*

This C:\WINDOWS\System32\LogFiles\ OR That C:\WINDOWS\System32\LogFiles\*

This C:\Windows\Veeam\ OR This C:\Windows\Veeam\*

*****Also, does anyone know how to copy all the files/folders in the malware list out of where it is being added into?

Re: best way to add folders to malware whitelist

BPry — Thu, 27 Oct 2022 22:38:14 GMT

@jeperjes,

Keep in mind what you're actually wildcarding.

C:\WINDOWS\System32\DNS\*.dns - This would allow anything in that fold path with a .dns extension.

*\*.dns - This would allow literally anything with a .dns extension.

C:\Program Files\Microsoft SQL Server\*\Shared\SQLDumper.exe - This allows anything within that folder path but that one wild carded portion doesn't matter. So C:\Program Files\Microsoft SQL Server\Bob\Shared\SQLDumper.exe would work fine, but C:\Program Files\Microsoft SQL Server\Billy\Bob\Shared\SQLDumper.exe would not.

*.\sqldumper.exe - Again your allowing this executable name to run from anywhere.

I'd be very careful about wildcarding entire paths and executable names outside of the specified path as required. You can't get around this completely without excluding a bunch of hashes, but any exception should be as specific as possible when being created. I absolutely refuse to exclude entire extensions or just the executable name itself, both open up pretty large exception holes in your environment.

Re: best way to add folders to malware whitelist

jeperjes — Fri, 28 Oct 2022 12:09:57 GMT

So should I remove all the exclusions and let Cortex intelligence determine
which paths, files dictate whitelisting?

Re: best way to add folders to malware whitelist

jeperjes — Fri, 28 Oct 2022 18:48:17 GMT

So if anyone can explain this observation for me, I would appreciate it. With Cisco AMP, it has the ability to disable AV from running at the running apps by the clock. With Cortex, you have to run cytool disable service reboot . to enable the icon for cortex you do cytool enable service and reboot the computer or server. Anyone know a better way? The reason I ask this is with Cisco AMP, we had anomolies with an upgrade installation of software on 5 of our servers to where i had to goto 20 computers and disable the tray icon for Cisco AMP.