What am I doing wrong. The antivirus is sandboxing some software that I know for a fact is not malware and I am intending to run. I do the following

  1. Open the Antivirus and click Manage Protection
  2. Click on Auto-Containment
  3. Under the Auto-containment tab I create a new listing to ignore the folder that houses my executable.

When I save everything it all seems to work just fine. However, after a few minutes it’s sandboxing again. I go in to check and I either see that my new exception has been removed, or it’s there and enabled, but the system is still sandboxing. Is there another way to do this?

Fred ( and Itarian Team)

Whitelisting or adding exceptions, changing contained programs to trusted is the single most frustrating part of the entire experience.

To this day I still struggle to to simply mark a folder or program as safe and not have it blocked.

Yes, read the manual, tried to work out if best done on the portal - most logical place, or have to remote to a system/s to try to prevent containment.
Sometimes I resort to disabling the entire bloody thing just to allow a client to do what they need, then revisit afterwards.

Many examples, but whitelisting “Anydesk” for 3rd party usage was a pain, another was an outlook mail-merge vbs, and a employee keylogger took a few goes - but I fully expected that one to be caught first up!

Containment/Hips/rules and half the time they (alerts or contained) don’t appear anywhere on the portal to even be able to action.

A recent ticket yesterday

Type of ticket creator: monitoring
Event Created at: Sun Feb 06 10:38:44 2022 GMT+0
Device Name: K***-SP1
Logged on User: A*****e
Data: Unknown Application Running Inside Container Monitor : Unknown application running inside container: C:\Users\A
e\Downloads\DJIFlightP lanner_24JAN2022_Setup_x64.exe AND Antivirus Database Outdated Monitor : Last antivirus database update is older than two weeks

Looking at the portal under security tab, only 3 entries ?? (but has my vbs blocked file) however I personally had a contained program within the last 2 hours that has not appeared or emailed me. I’m sure many of my clients have as well, just not getting listed. Not much notice until a client calls for help.

cmd.exe C:\Windows\system32\cmd.exe F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D 6 Containment Policy chrome.exe Blocked Complete Trusted Trusted 2022/02/05 11:48:50 AM
cmd.exe C:\WINDOWS\system32\cmd.exe E8717FF0D40E01FD3B06DE2AA5A401BED1C907CC 2 Containment Policy chrome.exe Blocked Complete Trusted Not set 2022/02/04 09:17:12 AM
Outlook Mail Merge Attachment.vbs C:\Outlook Mail Merge Attachment\Outlook Mail Merge Attachment.vbs C64E504A367C660C973B7096D5728BD9B66D0CCB 1 Containment Policy explorer.exe Virtually Complete Unrecognized Trusted 2022/02/01 01:34:08 PM

Checking my clients pc on the portal direct shows nothing under antivirus or Quarantined Files

Delete File(s) from Device
Restore File(s) on Device
Rate as Unrecognized
Rate as Trusted
Rate as Malicious
Rate as Obsolete
Last Update Time:Unknown
Request quarantined files

I understand why there are complaints on the portal and requests to allow a simple click link for basic actions from the email alerts or from the portal tickets/alerts.

A simple write up on the correct procedure, or what component’s or the proper recommended use cases to do the above would be super handy.



Tried to edit post for reducing table size, but its listed as unapproved and not authorized to edit ??

Hi @mcfproservices,

Now, I have approved the post manually. The automatic system made the post Unapproved due to many URLs used, which we have removed.

Kind Regards,

That’s great for the post, but is there an answer to either of our questions? This is very frustrating and I’ve had many clients tell me they want my antivirus removed and they will go with another company. They can’t be calling me every time the want to run the program.

Hi @Fred,

We will ask our backend team to create a support ticket and collect the required logs to assist you in writing rules.

Kind Regards,

Please implement an allround and better procedure for whitelisting/ black listing files/ programs. Not only some rules specific for this program.

So we all don’t have to struggle every time to navigate through the logs (if any).
Like @mcfproservices also mentioned, yes, there should be a better mechanism for this.