For details on cookie usage on our site, read our Privacy Policy
Traps false positive
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Endpoint (Traps) Discussions
- Traps false positive
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Traps false positive
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:34 AM
Hi,
We are having an issue with a file. This file can have several hashes so its not possible to click in "treat as benign", besause the has file changes. SO what is the correct way to permit this file?
Thanks
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:38 AM
If the file is in a set location you could simply whitelist the file itself via the file path, or if this is an in-house application EXE/DLL file you could have your developers sign the application so you can whitelist it based off of the signing certificate.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:43 AM
How can we do that: If the file is in a set location you could simply whitelist the file itself via the file path?
The issue is that, WF lasts 10 minutes in permit the access to this file, so end-users first receive denied access, and then in 10 minutes end-user can open the file. But all en users open a ticket about this issue.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:45 AM
Directions differ based on the version of Traps you are using. Are you using the hosted Traps Management Service or are you still running the on-site Endpoint Security Manager?
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:46 AM
If the file name changes, you can whitelist the file path (with env. varablies if needed), and use a wildcard (*) for the file name. If the file name does not change, it would be advised to include the file name.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:50 AM
FIle name is the same, but the hashes are diferent. So can we create a white list for this filename?
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:51 AM
@BigPalo ,
You can easily whitelist the file name; to give you directions on how to do so we need to know what Traps installation you are utilizing as the instructions will be different between TMS and ESM installations.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 06:58 AM
Im almost sure that is ESM 4.x version.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2019 07:36 AM
You will need to make that decision. If several users are affected than you can make it global. If one person, or team, you can add just those machines or users to the rule.
- False positive? - Generic Malicious Javascript Detection 86736 in Threat & Vulnerability Discussions
- file getting blocked (false positive) in Threat & Vulnerability Discussions
- ms-ds-smbv3 - Trojan-Downloader/Win32.guloader.ao in Threat & Vulnerability Discussions
- False positive - Threat ID 86672 - NewPOSThing Command and Control Traffic Detection in Threat & Vulnerability Discussions
- Potential false positive AV for MS VisualStudio update in Threat & Vulnerability Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
