Trying to whitelist a file for Threat Emulation and Anti-Exploit Blade.

jperry — Mon, 13 Apr 2020 16:26:23 GMT

I have a user trying to run an .exe that is coming up as malware via the Threat Emulation and Anti-Exploit blade. It is confirmed to be a false positive. I am trying to add it as a whitelist but the only options are: Folder, domain or SHA1. It doesn't look like I can use a wildcard in the folder path for the file name so the next best option would be the SHA1 hash. Is there a relatively easy method for getting the SHA1? Most other AVs will provide the SHA1 on detection so that it can be added to the whitelist. I see the MD5 in the Forensics report but no SHA1. I would hate to have to grab the file from the user everytime there is a false positive just to generate a SHA1 hash.

Is there another way that I should be white listing this?

Thank you!

Re: Trying to whitelist a file for Threat Emulation and Anti-Exploit Blade.

_Val_ — Wed, 15 Apr 2020 17:54:37 GMT

Maybe this will help: https://support.microsoft.com/en-us/help/889768/how-to-compute-the-md5-or-sha-1-cryptographic-hash-values-for-a-file

topic Re: Trying to whitelist a file for Threat Emulation and Anti-Exploit Blade. in Endpoint

Trying to whitelist a file for Threat Emulation and Anti-Exploit Blade.

Re: Trying to whitelist a file for Threat Emulation and Anti-Exploit Blade.