This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

best way to add folders to malware whitelist

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

best way to add folders to malware whitelist

jeperjes
L1 Bithead

‎10-27-2022 06:24 AM

having read the document "Add a New Malware Security Profile", I am not clear as to best and properly entering a path to a folder properly. 

 

this is a paragraph pulled out of the of the webpage.

 

+Add a file or folder.
Enter the path and press Enter or click the check mark when done. You can also use a wildcard to match files and folders containing a partial name. Use ? to match a single character or * to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example, c:\temp\*).

 

My question and concerns are should all paths end with an asterisk (*)? 

So this is how i am adding paths into the whitelist. 

 

Is this correct the way or the wrong way to add this path  C:\WINDOWS\SYSVOL\staging\? OR  should it have an * at end.

 

C:\WINDOWS\System32\DNS\*.dns    OR should it be *\*.dns

 

C:\Program Files\Microsoft SQL Server\*\Shared\SQLDumper.exe OR should it be *.\sqldumper.exe   or does it not matter?

 

What is the appropriate way to enter files and folders into the malware list.

 

 

 

 

This C:\Users\*\AppData\Local\Microsoft\OneDrive\ OR  that C:\Users\*\AppData\Local\Microsoft\OneDrive\*

 

This C:\WINDOWS\System32\LogFiles\  OR That C:\WINDOWS\System32\LogFiles\*

 

This C:\Windows\Veeam\     OR This   C:\Windows\Veeam\*

 

 

*****Also, does anyone know how to copy all the files/folders in the malware list out of where it is being added into?

 

jeperjes_0-1666877018593.png

 

 

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎10-27-2022 03:38 PM

@jeperjes,

Keep in mind what you're actually wildcarding. 

 

C:\WINDOWS\System32\DNS\*.dns - This would allow anything in that fold path with a .dns extension.

 

*\*.dns - This would allow literally anything with a .dns extension. 

 

C:\Program Files\Microsoft SQL Server\*\Shared\SQLDumper.exe - This allows anything within that folder path but that one wild carded portion doesn't matter. So C:\Program Files\Microsoft SQL Server\Bob\Shared\SQLDumper.exe would work fine, but C:\Program Files\Microsoft SQL Server\Billy\Bob\Shared\SQLDumper.exe would not. 

 

*.\sqldumper.exe - Again your allowing this executable name to run from anywhere.

 

I'd be very careful about wildcarding entire paths and executable names outside of the specified path as required. You can't get around this completely without excluding a bunch of hashes, but any exception should be as specific as possible when being created. I absolutely refuse to exclude entire extensions or just the executable name itself, both open up pretty large exception holes in your environment. 

0 Likes Likes

jeperjes
L1 Bithead
In response to BPry

‎10-28-2022 05:09 AM

So should I remove all the exclusions and let Cortex intelligence determine
which paths, files dictate whitelisting?
0 Likes Likes

jeperjes
L1 Bithead
In response to jeperjes

‎10-28-2022 11:48 AM

So if anyone can explain this observation for me, I would appreciate it.  With Cisco AMP, it has the ability to disable AV from running at the running apps by the clock.  With Cortex, you have to run cytool disable service reboot . to enable the icon for cortex you do cytool enable service and reboot the computer or server.  Anyone know a better way? The reason I ask this is with Cisco AMP, we had anomolies with an upgrade installation of software on 5 of our servers to where i had to goto 20 computers and disable the tray icon for Cisco AMP. 

0 Likes Likes
  • 1677 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks