Fred ( and Itarian Team)
Whitelisting or adding exceptions, changing contained programs to trusted is the single most frustrating part of the entire experience.
To this day I still struggle to to simply mark a folder or program as safe and not have it blocked.
Yes, read the manual, tried to work out if best done on the portal - most logical place, or have to remote to a system/s to try to prevent containment.
Sometimes I resort to disabling the entire bloody thing just to allow a client to do what they need, then revisit afterwards.
Many examples, but whitelisting “Anydesk” for 3rd party usage was a pain, another was an outlook mail-merge vbs, and a employee keylogger took a few goes - but I fully expected that one to be caught first up!
Containment/Hips/rules and half the time they (alerts or contained) don’t appear anywhere on the portal to even be able to action.
A recent ticket yesterday
Type of ticket creator: monitoring
Event Created at: Sun Feb 06 10:38:44 2022 GMT+0
Device Name: K***-SP1
Logged on User: A*****e
Data: Unknown Application Running Inside Container Monitor : Unknown application running inside container: C:\Users\Ae\Downloads\DJIFlightP lanner_24JAN2022_Setup_x64.exe AND Antivirus Database Outdated Monitor : Last antivirus database update is older than two weeks
Looking at the portal under security tab, only 3 entries ?? (but has my vbs blocked file) however I personally had a contained program within the last 2 hours that has not appeared or emailed me. I’m sure many of my clients have as well, just not getting listed. Not much notice until a client calls for help.
|
cmd.exe |
C:\Windows\system32\cmd.exe
|
F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
|
6 |
Containment Policy |
chrome.exe |
Blocked |
Complete |
Trusted |
Trusted |
2022/02/05 11:48:50 AM |
|
cmd.exe |
C:\WINDOWS\system32\cmd.exe
|
E8717FF0D40E01FD3B06DE2AA5A401BED1C907CC
|
2 |
Containment Policy |
chrome.exe |
Blocked |
Complete |
Trusted |
Not set |
2022/02/04 09:17:12 AM |
|
Outlook Mail Merge Attachment.vbs |
C:\Outlook Mail Merge Attachment\Outlook Mail Merge Attachment.vbs
|
C64E504A367C660C973B7096D5728BD9B66D0CCB
|
1 |
Containment Policy |
explorer.exe |
Virtually |
Complete |
Unrecognized |
Trusted |
2022/02/01 01:34:08 PM |
Checking my clients pc on the portal direct shows nothing under antivirus or Quarantined Files
Delete File(s) from Device
Restore File(s) on Device
Rate as Unrecognized
Rate as Trusted
Rate as Malicious
Rate as Obsolete
Last Update Time:Unknown
Request quarantined files
I understand why there are complaints on the portal and requests to allow a simple click link for basic actions from the email alerts or from the portal tickets/alerts.
A simple write up on the correct procedure, or what component’s or the proper recommended use cases to do the above would be super handy.
regards
mcfproservices.