Some business processes may utilize Excel documents with embedded macros which launch external applications, which are suspicious, but are later found to be part of a business process. Rather than whitelisting Excel.exe (pretty broad exception) to be able to execute these processes, is there a way to get an exception for just a specific excel document? Of course this is given that the document can be singled out by name.
Solved! Go to Solution.
What verision of Traps are you using. Regardless of version, you can whitelist a file on a case by case basis, instead of whitelsting the excel process which would be rather ill-advisable.
I don't believe your statement is accurate, you can't really whitelist an excel document file, since as I understand it, Traps protects and evaluates processes/executables on execution, and in the scenario I'm referring to, it would be the Excel.exe process executing and running displaying/presenting a file that has a macro that causes Excel.exe to run a child process that appears suspicious to Traps. This means Whitelisting the xlsx filename or file hash likely does nothing.
How do you make a child process protection exception to an individual Excel document file? For example, there is nothing that I have access to that allows me to turn off child process protection on Excel.exe when it is opening a certain file, but does support have this ability? The reason I'm asking is that the only option I have is to make an exception to a process name (process name being Excel.exe, which I already know is not a good idea). I guess to reiterate I was looking for whether it's possible for support to create this type of exception as an Advanced Exception, or is there anyone out there that has had this scenario, and what did they do?
I'm using Traps 6.1 by the way.
So your maco execution can be whitelisted by going into the Malware profile and looking at the "Examine Office Files with Macros" area, which will allow you to add a Whitelisted file. This should stop Traps from triggering the Malicious Child Process protections. If not, how you would whitelist the process is by looking at the detection logs and seeing how it identifies the Parent/chile process and the CLP that was utilized. You would then build the chain under "Prevent Maclicious Chile Process Execution".
Hello @BPry ,
So I tried adding a file to the whitelist for the Malware profile under "Examine Office Files with Macros". This allows the file to open, but as I suspected, A "suspicious process creation" event is still triggered when the macro is run. This is because in this scenario Excel.exe is starting a child process of schtasks.exe.
You are correct though in your statement about if that doesn't work, you can put it in the "Malware Profile" and allow Excel.exe to launch something like schtasks.exe with very specific parameters. In the end, it would be allowing Excel.exe as a whole to perform a very specific task, which isn't all that bad. As an example, I've attached a screenshot of the exception I made for a fictional excel file I created with a macro to set a scheduled task.
Wildcards can be used in the Command Line Params as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!