This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paul_Warnagiris
Advisor
‎2018-10-17 06:21 AM

Can I create an exception for anti-ransomeware

Good Morning.  We have a customer running one of the latest endpoint deployments.  The client is at 80.83.xxx.  Regular users have no problem, but developers have problems when they go to deploy code or do "things" in Visual Studio. They are getting a false positive pop up from Anti-Ransomeware.  At times it freezes/crashes the VS app, other times it completes.  Every time though its causing help-desk calls and its getting visible.  Specifically c:/program files (x86)\microsoft visual studio 14.0\common7\ide\devenv.exe is the trigger.  Is there a way to eliminate or explicitly trust this executable?  There is another exe that I need to do as well which is vshub.exe.

Thanks in advance for your time.  I'm attaching the overview for your reference.

Paul

Preview file
362 KB
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-10-17 07:11 AM

Did you already try to use a whitelist for TP following Threat Prevention Administration Guide R80.20 p.110f ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Paul_Warnagiris
Advisor
‎2018-10-17 08:11 AM
In response to G_W_Albrecht

I did not because my question is geared towards endpoint management, not firewall or network management.  Your guide is talking about gateway management unless I'm mistaking.


Thanks,
Paul

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-10-18 01:22 AM
In response to Paul_Warnagiris

That is true - for Endpoint Server, the procedure is given in e.g. Endpoint Security Administration Guide R77.30.03 Management Server p.182:

To configure trusted processes:

1. In the Properties of the Scan all files on Access Action, click Add.

2. In the Trusted Processes window, enter the fully qualified path or an environment variable for the trusted executable file. For example:

C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe

• %programdata%\MyTrustedProgram.exe

3. Click OK.

The trusted program shows in the Trusted Processes list.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kim_Moberg
Advisor
‎2018-10-17 11:36 AM

Hi Paul

We made a rule that excluded the path to the development. 

We got a rpa server calling powershell scripts and everytime it was called the anti-ransomware blade triggered and deleted the script.

So we were recommended to create a rule in the endpoint mgmt server that would bypass the path to the script for the given server.

So create a rule which include your development server and bypass the Application and it working directory.

You might also do this for the folders were you compile codes into executeble files.

By the way. Latest stable version is e80.87 but as I recall there shouldnt be any difference between the versions in regards to handling the issue you are mention in your question.

Hope this would help

Best regards

Kim

example of exclude folder/file on the antiransomeware blade for the endpoint.

Best Regards
Kim
PhoneBoy
Admin
Admin
‎2018-10-19 08:52 AM

To exclude a process from monitoring:

  1. From a SandBlast Agent Forensics and Anti-Ransomware rule in the Policy, right-click the Monitoring and Exclusions action and select Edit Shared Action.
  2. Click Add exclusion.
  3. In the window that opens select:
    • Process - To exclude an executable. You can also include Certificate information.
      • In Process name, enter the name of the executable.
      • Optional: Enter more information in the fields shown Signer is the company that signs the certificate. The more information you enter, the more specified the exclusion will be.
    • Certificate - To exclude processes based on the company that signs the certificate, for example, Google.
      • In Certificate Data, enter a name of company that signs certificates, or browse to add a certificate file.
  4. Click OK.
  5. The exclusion is added to the Exclusions list.
Paul_Warnagiris
Advisor
‎2018-10-22 12:45 AM
In response to PhoneBoy

Awesome Dameon.  Thanks much!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events