Configure and Manage Exclusions in AMP for Endpoints Contents

Size: px

Start display at page:

Download "Configure and Manage Exclusions in AMP for Endpoints Contents"

Bertha Hubbard
5 years ago
Views:

1 Configure and Manage Exclusions in AMP for Endpoints Contents Introduction Prerequisites Requirements Components Used Background Information Exclusion Types File Extension Path Wildcard Threat Process Exploit Prevention Malicious Activity Protection Configure Verify Troubleshoot Appendix A: Recommended Exclusions Windows - Workstations (Generic) Windows - Servers (Generic) Windows - Domain Controllers Windows - IIS Windows - Exchange Server Windows - SQL Server Windows - Symantec Endpoint Protection Windows - Avast Windows - Avira Windows - Altiris by Symantec Windows - Trend Windows - Kaspersky Windows - McAfee Windows - Defender Windows - Microsoft Forefront Windows - Microsoft Security Client Windows - Sophos Windows - VSE Mac - Workstations (Generic) Mac - Jabber Mac - JAMF Casper Mac - McAfee

2 Mac - Crashplan Mac - Fusion Mac - Office Windows - Lakeside Software - Systrack Windows - SAS Applications Windows - Splunk Windows - Diebold Warsaw Windows - One Drive Windows - Office Introduction This document describes how to create exclusions so that an AMP for Endpoints (A4E) Connector does not scan the program's directory. This is completed in order to prevent conflicts or performance problems between a FireAMP Connector and anti-virus or other applications. This is especially important with anti-virus signatures that contain strings that the A4E Connector detects as malicious or issues with quarantined files. Note: The Cisco Technical Assistance Center (TAC) does not track the inventory of the potentially infinite number of applications. The list of exclusions in the appendix is just a guideline. For additional information, read the official user guide and documentation. Prerequisites Requirements Cisco recommends that you have knowledge of A4E Cloud Console, AMP for Endpoints (A4E), and anti-virus products. Components Used This document is not restricted to specific software and hardware versions. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information Exclusion Types There are five types of usable exclusions in the A4E console and two that can be added through Tier 3. If the wrong exclusion type is used, the exclusion will not function. It is important to note the format of each type in order to verify the exclusion was added properly during the tuning process. File Extension

3 This exclusion type is used to exclude files of a certain extension, no matter where it is located on the machine. Examples:.log.txt.db Path This exclusion can be used in order to exclude a single folder or file. Path exclusions are recursive (any subfolders within that path will also be excluded). Path exclusions are the only ones that can use Constant Special Item ID List (CSIDL) as a wildcard. The two path formats are: CSIDL_WINDOWS\system32 C:\Windows\system32 Note: The wildcard star ' * ' character is not valid for use within a path exclusion. Also, for Windows machines only (does not affect Mac/Linux): Adding "\" to the end of a path exclusion changes the behavior slightly. This is easiest demonstrated with an example. If you exclude "C:\Test", AMP will exclude files in "C:\Test", "C:\Testing", "C:\Test_Two", etc. (and all subdirectories thereof). If you exclude "C:\Test\", AMP will only exclude files in "C:\Test" (and subdirectories thereof). It will not exclude files in "C:\Testing", "C:\Test_Two", etc. Wildcard This exclusion type is best used when you may be unable to anticipate a folder or file name. You can use multiple wildcards in a single exclusion as well. The wildcard examples are: C:\Program Files\MyApplication\*.log C:\Users\*\MyApplication\ C:\ProgramData\*\MyApplication\*\*.log Threat This exclusion helps prevent one or more files from being scanned and detected based on the threat name. This can be useful if you anticipate a variety of names for a given file. Some examples of threat names are below: W32.B76344BA43-95.SBX.TG W32.Auto:dfd99f89d2.in05.Talos Process Process exclusions can be used to prevent A4E from scanning any files and subprocesses based on a process. You can use either the SHA256 hash of the process or the full file path, or both SHA256 and file path together. If you use both pieces of data then both conditions must be met in order for the exclusion to work. You can also choose to exclude subprocesses. Examples are below:

4 C:\Program Files\MyApplication.exe SHA256 of the MyApplication.exe Both of the above Note: v or higher is required to use process exclusions with child process exclusions enabled. Exploit Prevention Exploit Prevention exclusions are useful to exclude incompatible DLLs until an update to the engine can be completed to resolve the issue. To determine the proper exclusion, please contact TAC. Note: Windows Connector v6.0.1 or higher is required to use Exploit Prevention exclusions. Malicious Activity Protection

5 MAP exclusions can be used if a process is being flagged as malicious based on its behavior resembling known malicious behaviors. If an exclusion is required for MAP, please contact TAC Note: Windows Connector v6.1.1 or higher is required to use process exclusions with child process exclusions enabled. Configure In order to create exclusions, complete these steps: 1. Choose Management > Exclusions on the A4E Cloud Console. 2. Either edit an existing exclusion set (preferred) or click Create Exclusion Set in order to create a new list of exclusions. Enter a name for the list and click Create. 3. Click Add Exclusion in order to add an exclusion to your list. You will be prompted to enter a path for the exclusion.

6 4. Enter the CSIDL of the software products you installed on your endpoints and then click Create. Note: A CSIDL value identifies special folders used by an application. This is system-independent and independent of any filename or location of the system. Note: In the previous screenshot, the directory name is excluded for Symantec. Once the CSIDL is loaded on the computer that runs the FireAMP Connector, the CSIDL resolves to the full path, C:\ProgramData\Symantec. 5. Choose Management > Policies. Click Edit next to the appropriate policy. From the Custom Exclusion Set drop-down list, choose the exclusion set you created. ALWAYS REMEMBER THAT A POLICY CAN ONLY HAVE ONE EXCLUSION SET ASSOCIATED WITH IT.Note: Once you have created an Exclusion Set, you must add it to any policies that you have created.

7 6. Click Update Policy and repeat the steps for any other policies you want the exclusion set applied to. Note: There is a delay between a policy update and the next heartbeat interval, when a connector receives an updated policy change.tip: In order to determine the CSIDLs for your current security product or application, contact the manufacturer. For a complete list of CSIDLs, refer to the Microsoft Dev Center - Desktop. Verify There is currently no verification procedure available for this configuration. Troubleshoot There is currently no specific troubleshooting information available for this configuration. Appendix A: Recommended Exclusions Based on the Microsoft Anti-virus Exclusion List, Cisco recommends that you exclude: Windows - Workstations (Generic) Extension:.db-journal Extension:.db-wal Extension:.db-shm Extension:.pst Extension:.log Path: CSIDL_BASEDIR Path: CSIDL_SYSTEM\emptyregdb.dat Path: CSIDL_SYSTEM\CatRoot2

8 Path: CSIDL_WINDOWS\Prefetch Path: CSIDL_PROGRAM_FILES\Windows Defender Path: CSIDL_PROGRAM_FILESX86\Windows Defender Path: CSIDL_COMMON_APPDATA\Microsoft\Windows Defender Path: CSIDL_WINDOWS\system32\GroupPolicy\registry.pol Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Datastore.edb Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\edb.chk Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Res1.log Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Res2.log Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\tmp.edb Wildcard: CSIDL_WINDOWS\Security\database\*.chk Wildcard: CSIDL_WINDOWS\Security\database\*.edb Wildcard: CSIDL_WINDOWS\Security\database\*.jrs Wildcard: CSIDL_WINDOWS\Security\database\*.log Wildcard: CSIDL_WINDOWS\Security\database\*.sdb Wildcard: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\*.log Wildcard: CSIDL_WINDOWS\SoftwareDistribution\Datastore\\Logs\edb*.log Wildcard: *\System Volume Information\tracking.log$ Windows - Servers (Generic) Path: CSIDL_BASEDIR Path: CSIDL_SYSTEM\emptyregdb.dat Path: CSIDL_SYSTEM\CatRoot2 Path: CSIDL_WINDOWS\Prefetch Path: CSIDL_WINDOWS\system32\GroupPolicy\registry.pol Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Datastore.edb Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\edb.chk Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Res1.log Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Res2.log Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\tmp.edb Path: C:\inetpub\temp\IIS Temporary Compressed Files Path: CSIDL_WINDOWS\IIS Temporary Compressed Files Path: CSIDL_WINDOWS\system32\inetsrv Path: CSIDL_WINDOWS\system32\inetsrv\w3wp.exe Path: CSIDL_WINDOWS\SysWOW64\inetsrv\w3wp.exe Path: CSIDL_COMMON_APPDATA\ntuser.pol Path: CSIDL_WINDOWS\System32\LogFiles Path: CSIDL_WINDOWS\SysWow64\LogFiles Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

9 Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe Wildcard: CSIDL_WINDOWS\Security\database\*.chk Wildcard: CSIDL_WINDOWS\Security\database\*.edb Wildcard: CSIDL_WINDOWS\Security\\database\*.log Wildcard: CSIDL_WINDOWS\Security\database\*.sdb Wildcard: CSIDL_WINDOWS\Security\database\*.jrs Wildcard: *\System Volume Information\tracking.log$ Wildcard: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\*.log Wildcard: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\edb*.log Extension:.bak Extension:.ldf Extension:.mdf Extension:.trn Extension:.abf Extension:.ctl Extension:.dbf Extension:.rdo Extension:.arc Extension:.ndf Note: Additional exclusions suggested by Microsoft are frequently updated Here Windows - Domain Controllers Path: CSIDL_COMMON_APPDATA\ntuser.pol Path: CSIDL_WINDOWS\system32\GroupPolicy\registry.pol Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Datastore.edb Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\edb.chk Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Res1.log Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\Res2.log Path: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\tmp.edb Path: CSIDL_WINDOWS\ntds\ntds.dit Path: CSIDL_WINDOWS\ntds\EDB.chk Path: CSIDL_WINDOWS\ntds\TEMP.edb Path: CSIDL_WINDOWS\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory Path: CSIDL_WINDOWS\SYSVOL\staging Path: CSIDL_WINDOWS\SYSVOL\staging areas Path: CSIDL_WINDOWS\SYSVOL\sysvol Path: CSIDL_WINDOWS\System32\ntfrs.exe Path: CSIDL_WINDOWS\System32\dfsr.exe Path: CSIDL_WINDOWS\System32\dfsrs.exe

10 Path: CSIDL_WINDOWS\System32\dns.exe Wildcard: CSIDL_WINDOWS\Security\database\*.edb Wildcard: CSIDL_WINDOWS\Security\\database\*.log Wildcard: CSIDL_WINDOWS\Security\database\*.sdb Wildcard: CSIDL_WINDOWS\Security\database\*.jrs Wildcard: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\*.log Wildcard: CSIDL_WINDOWS\SoftwareDistribution\Datastore\Logs\edb*.log Wildcard: CSIDL_WINDOWS\ntds\EDB*.log Wildcard: CSIDL_WINDOWS\ntds\Edbres*.jrs Wildcard: CSIDL_WINDOWS\ntds\*.pat Wildcard: CSIDL_WINDOWS\System32\DNS\*.dns Wildcard: CSIDL_WINDOWS\System32\DNS\*.scc Windows - IIS Path: CSIDL_COMMON_APPDATA\ntuser.pol Path: CSIDL_WINDOWS\system32\GroupPolicy\registry.pol Path: C:\inetpub\temp\IIS Temporary Compressed Files Path: CSIDL_WINDOWS\IIS Temporary Compressed Files Path: CSIDL_WINDOWS\system32\inetsrv Path: CSIDL_WINDOWS\system32\inetsrv\w3wp.exe Path: CSIDL_WINDOWS\SysWOW64\inetsrv\w3wp.exe Path: CSIDL_WINDOWS\System32\LogFiles Path: CSIDL_WINDOWS\SysWow64\LogFiles Windows - Exchange Server Path: CSIDL_PROGRAM_FILES\Microsoft\Exchange Server\ Path: CSIDL_SYSTEM\inetsrv Windows - SQL Server Extension:.bak Extension:.ldf Extension:.mdf Extension:.trn Extension:.abf Extension:.ctl Extension:.dbf Extension:.rdo Extension:.arc Extension:.ndf Path: CSIDL_COMMON_APPDATA\ntuser.pol Path: CSIDL_WINDOWS\system32\GroupPolicy\registry.pol Path: CSIDL_WINDOWS\System32\LogFiles Path: CSIDL_WINDOWS\SysWow64\LogFiles Path: CSIDL_PROGRAM_FILES\Microsoft SQL

11 Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe Path: CSIDL_PROGRAM_FILES\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe Note: Additional exclusions suggested by Microsoft are frequently updatedhere Windows - Symantec Endpoint Protection Path: CSIDL_COMMON_APPDATA\Symantec Path: CSIDL_PROGRAM_FILES\Symantec\Symantec End Point Protection Path: CSIDL_PROGRAM_FILESX86\Symantec\Symantec Endpoint Protection Wildcard: CSIDL_WINDOWS\Temp\musdmys_* Wildcard: CSIDL_WINDOWS\Temp\content.zip.tmp\*.diff Wildcard: CSIDL_WINDOWS\Temp\content.zip.tmp\SymDeltaDecompressOptions.xml Wildcard: CSIDL_WINDOWS\Temp\content.zip.tmp\cur.scr Wildcard: CSIDL_WINDOWS\Temp\TMP*.tmp Windows - Avast Path: CSIDL_WINDOWS\Temp\_avast5_ Path: CSIDL_WINDOWS\Temp\_avast_ Windows - Avira Path: CSIDL_APPDATA\Avira\AntiVir Desktop\TEMP Path: CSIDL_LOCAL_APPDATA\Avira\AntiVir Desktop\TEMP Path: CSIDL_PROGRAM_FILES\Avira\AntiVir Desktop\TEMP Windows - Altiris by Symantec Path: CSIDL_PROGRAM_FILES\Altiris\Altiris Agent\TaskManagement Path: CSIDL_PROGRAM_FILES\Altiris\Inventory\Outbox Wildcard: *\Windows\Temp\AltirisScript*.cmd Windows - Trend Path: CSIDL_PROGRAM_FILES\Trend Micro Path: CSIDL_PROGRAM_FILESX86\Trend Micro Windows - Kaspersky Path: CSIDL_COMMON_APPDATA\Kaspersky Lab

12 Windows - McAfee Path: CSIDL_PROGRAM_FILES\McAfee Path: CSIDL_PROGRAM_FILESX86\McAfee Path: CSIDL_COMMON_APPDATA\McAfee Path: CSIDL_PROGRAM_FILES\Common Files\McAfee Windows - Defender Path: CSIDL_PROGRAM_FILES\Windows Defender Path: CSIDL_PROGRAM_FILESX86\Windows Defender Path: CSIDL_COMMON_APPDATA\Microsoft\Windows Defender Windows - Microsoft Forefront Path: CSIDL_PROGRAM_FILES\Microsoft Forefront Path: CSIDL_PROGRAM_FILESX86\Microsoft Forefront Windows - Microsoft Security Client Path: CSIDL_PROGRAM_FILES\Microsoft Security Client Path: CSIDL_PROGRAM_FILESX86\Microsoft Security Client Windows - Sophos Path: CSIDL_PROGRAM_FILES\Sophos Path: CSIDL_PROGRAM_FILESX86\Sophos Path: CSIDL_COMMON_APPDATA\Sophos\Sophos Anti-Virus Path: CSIDL_COMMON_APPDATA\Sophos Vista/Win7 and Newer also requires this path. Path: C:\ProgramData\Sophos\AutoUpdate\Cache Path: C:\Program Files\Sophos\AutoUpdate\Cache Path: C:\ProgramData\Sophos Wildcard: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos* Wildcard: C:\Windows\Temp\Sophos* Windows - VSE Path: CSIDL_PROGRAM_FILES\VSE Path: CSIDL_COMMON_APPDATA\VSE Mac - Workstations (Generic) Path: /private/var/vm Path: /.Spotlight-V100 Path: /.MobileBackups

13 Path: /Volumes/MobileBackups/ Path: /Quarantine Path: /Volumes/Time Machine Backups/ Wildcard: /Volumes/*/.Spotlight-V100 Wildcard: /Volumes/*/.Spotlight-V100* Wildcard: /Volumes/*/Backups.backupdb Wildcard: /Users/*/Documents/Microsoft User Data/Office 2011 Identities/* Wildcard: /Users/*/Library/Group Containers/* Office/Outlook/Outlook 15 Profiles/* Wildcard: /Users/*/Library/Caches/Outlook/* Wildcard: /Users/*/Library/Caches/TemporaryItems/Outlook Temp/*kcIB* Mac - Jabber Path: /bin/ps Path: /usr/bin/grep Wildcard: /Users/*/Library/Logs/Jabber Mac - JAMF Casper Path: /usr/bin/sw_vers Wildcard: /Library/Application Support/JAMF/Usage/201*-*-*/.dat* Mac - McAfee Path: /Library/McAfee/ Path: /Library/Application Support/McAfee/ Mac - Crashplan Path: /Library/Caches/CrashPlan/ Wildcard: /Library/Logs/CrashPlan/*.log Mac - Fusion Path: /Library/Logs/VMware/ Mac - Office Wildcard: /Users/*/Documents/Microsoft User Data/Office 2011 Identities/* Wildcard: /Users/*/Library/Group Containers/* Office/Outlook/Outlook 15 Profiles/* Wildcard: /Users/*/Library/Caches/Outlook/* Wildcard: /Users/*/Library/Caches/TemporaryItems/Outlook Temp/*kcIB* Windows - Lakeside Software - Systrack Wildcard: *\Program Files (x86)\systrack\lsiagent\condense\*\*\*.tmp Wildcard: *\Program Files (x86)\systrack\lsiagent\condense\*\*.hld

14 Windows - SAS Applications Extension:.lck Extension:.sd2 Extension:.sc2 Extension:.SPDS Extension:.utl Wildcard: *.sas* (See the note in the Wildcard section.) Also the SAS work location needs to be excluded, but the folder might be different in different SAS versions. Windows - Splunk Path: CSIDL_PROGRAM_FILES\Splunk Path: CSIDL_PROGRAM_FILESX86\Splunk Path: CSIDL_PROGRAM_FILES\Splunk\var\lib\splunk Path: CSIDL_PROGRAM_FILESX86\Splunk\var\lib\splunk Path: CSIDL_PROGRAM_FILES\SplunkUniversalForwarder Path: CSIDL_PROGRAM_FILESX86\SplunkUniversalForwarder Windows - Diebold Warsaw These are the required exclusions for Diebold Warsaw banking software. Without these exclusions in place the application will not properly install. If the software is installed prior to AMP installation without these exclusions in place the system might become unresponsive. Path Exclusions Path: C:\Program Files (x86)\diebold\warsaw Path: C:\Program Files\Diebold\Warsaw Path: C:\Windows\System32\drivers\wsddfac.sys Newer versions might require: Path: C:\Windows\System32\drivers\gbpddfac64.sys Path: C:\Program Files (x86)\gas Tecnologia\Warsaw Path: C:\Windows\Temp\Diebold\Warsaw Wildcard Exclusions Wildcard: C:\Windows\Temp\warsaw_* Wildcard: C:\Users\*\AppData\Local\Temp\warsaw_* Wildcard: C:\Users\*\AppData\Local\Temp\*-*.tmp Wildcard: C:\Windows\System32\drivers\*-*.tmp Windows - One Drive Wildcard: C:\Users\*\OneDrive Windows - Office

15 Wildcard: C:\Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache

Upgrade a FireAMP Connector on Windows Operating Systems

Upgrade a FireAMP Connector on Windows Operating Systems Document ID: 118610 Contributed by Nazmul Rajib and Alexander Dipasquale, Cisco TAC Engineers. Oct 15, 2014 Contents Introduction Prerequisites