Re: Can I create an exception for anti-ransomeware

Paul_Warnagiris · ‎2018-10-17

Good Morning. We have a customer running one of the latest endpoint deployments. The client is at 80.83.xxx. Regular users have no problem, but developers have problems when they go to deploy code or do "things" in Visual Studio. They are getting a false positive pop up from Anti-Ransomeware. At times it freezes/crashes the VS app, other times it completes. Every time though its causing help-desk calls and its getting visible. Specifically c:/program files (x86)\microsoft visual studio 14.0\common7\ide\devenv.exe is the trigger. Is there a way to eliminate or explicitly trust this executable? There is another exe that I need to do as well which is vshub.exe.

Thanks in advance for your time. I'm attaching the overview for your reference.

Paul

G_W_Albrecht · ‎2018-10-17

Did you already try to use a whitelist for TP following Threat Prevention Administration Guide R80.20 p.110f ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Paul_Warnagiris · ‎2018-10-17

I did not because my question is geared towards endpoint management, not firewall or network management. Your guide is talking about gateway management unless I'm mistaking.

Thanks,
Paul

G_W_Albrecht · ‎2018-10-18

That is true - for Endpoint Server, the procedure is given in e.g. Endpoint Security Administration Guide R77.30.03 Management Server p.182:

To configure trusted processes:

1. In the Properties of the Scan all files on Access Action, click Add.

2. In the Trusted Processes window, enter the fully qualified path or an environment variable for the trusted executable file. For example:

• C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe

• %programdata%\MyTrustedProgram.exe

3. Click OK.

The trusted program shows in the Trusted Processes list.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Kim_Moberg · ‎2018-10-17

Hi Paul

We made a rule that excluded the path to the development.

We got a rpa server calling powershell scripts and everytime it was called the anti-ransomware blade triggered and deleted the script.

So we were recommended to create a rule in the endpoint mgmt server that would bypass the path to the script for the given server.

So create a rule which include your development server and bypass the Application and it working directory.

You might also do this for the folders were you compile codes into executeble files.

By the way. Latest stable version is e80.87 but as I recall there shouldnt be any difference between the versions in regards to handling the issue you are mention in your question.

Hope this would help

Best regards

Kim

example of exclude folder/file on the antiransomeware blade for the endpoint.

Best Regards
Kim

PhoneBoy · ‎2018-10-19

To exclude a process from monitoring:

From a SandBlast Agent Forensics and Anti-Ransomware rule in the Policy, right-click the Monitoring and Exclusions action and select Edit Shared Action.
Click Add exclusion.
In the window that opens select:
- Process - To exclude an executable. You can also include Certificate information.
  - In Process name, enter the name of the executable.
  - Optional: Enter more information in the fields shown Signer is the company that signs the certificate. The more information you enter, the more specified the exclusion will be.
- Certificate - To exclude processes based on the company that signs the certificate, for example, Google.
  - In Certificate Data, enter a name of company that signs certificates, or browse to add a certificate file.
Click OK.
The exclusion is added to the Exclusions list.

Paul_Warnagiris · ‎2018-10-22

Awesome Dameon. Thanks much!

Are you a member of CheckMates?

Can I create an exception for anti-ransomeware