I have a file that CCS keeps quarantining no matter what I do to exclude it. I have rated the file as trusted. Added the exe file name, and path to the exe in all exclusion profiles, yet it STILL keeps getting caught.
This file below is in the quarantine. Its rated as trusted. Its excluded. Yet everytime I restore it from quarantine, it goes right back in.
The path’s have been blanked for privacy reasons. Here is the path where that exe lives in the exclusions on the profile for this server (last entry)
I would beg you not to add anything to your containment exclusions unless you really have to.
This is completely dangerous as I have found out; after getting a worm into a client the first thing Comodo infection specialists say / do is stop your exclusion rules as that is why or how it is getting around the AV.
Hard less we have learnt, we use it for one client and their DOS app only now where everyone else is locked tight.
We appreciate your suggestions and sharing your experience. Our development team is surely working on the fix/improvement base on the reported issues and suggestion to build a much-improved, better product and services base on everyone’s cooperation and suggestions.
Please let us know if you need further assistance on the reported issue for us to assist you further with the exclusion. You may also use the Valkyrie service to analyze the file by submitting metadata and will create an auto-whitelisting when no suspicious activity detected. You may refer to the link below for further details.
I would love to not use exclusions if the AV would stop flagging important files and breaking applications after I have set the file as trusted. What is the point of setting file as admin trusted? It clearly doesnt do anything. To me that means it should auto exclude that file from any detection.
@Samuel_C
Done this already. Didn’t work. HOWEVER, there must have been a fix in the last update. After the update i recovered it from quarantined and so far it hasnt gone back. So surely a bug and i’m hoping it stays fixed
We appreciate the update. May we request to respond to the associated support ticket together with the requested output of the cisreporttool.exe once available. Thank you
How can we find out if the white list has been updated and pushed to the endpoint ? What is the process after the file has been marked as safe. Do the endpoints have a local copy or do they do a lookup online.
You may verify the if the whitelist has been updated via the ITSM Dashboard > Valkyrie> Valkyrie File Verdict section, it will show the numbers of whitelisted files. When the auto-whitelisting is enabled, the file will be whitelisted. Lookup online and CCS downloads admin rating database once per hour. This database has the binary format and can’t be visible for the user on the endpoint.