Hi there! Our clients have numerous custom applications that are usually contained when they run. I have found a way to whitelist / exclude them but when i try to add file paths to file groups, i am asked to make the entries one after the other. I have about almost a hundred executables to be whitelisted belonging to the same application. How can i go about adding these files at a time since i’m prompted to add them one after the other…(This means i’ll have to add file paths a hundred times which is very tedious). Can’t i just copy and paste all from a list?
Hi @chales if the executables belongs to same application and located in the same folder you can try whitelisting the path of the root folder.
Thank you Carl…but i thought of it this way…if we were to whitelist the whole folder, and some nefarious fellow drops his malware in that same folder, the malware will be allowed to run since the folder is whitelisted i.e, any executable located in the folder is allowed to run by default. Hence the need to whitelist file by file instead of on a folder basis. What sayest thou?
Hello @chales ,
Yes it will run. However if its unknown file, it will run in a virtual containment which what we called auto-Sandbox.
Put it in a little cell and let it execute there while the system is analyzing the file whether its a good or a bad one.
Regards,
Jay
Hi Jay, Thanks for the clarification. I have proceeded to go with folder whitelisting approach.
Just to clarify, if you are talking about creating exclusion list and going to exclude them from AV and Containment, then they are NOT going to be contained even if they are unknown.
What I can recommend you as quick way of whitelisting could be,
- Build a clean golden image with these custom applications
- install Comodo Clients there
- Run these applications and let it report the unknowns to ITSM
- Go to ITSM, Device details, File List (we expect to see all of these files reported as unknown at this point)
- Select all (still be careful that there is no malware in the list) and change the rating as trusted
- Let ITSM sync these file ratings as trusted on all of the machines (should start immediately)
- Go to golden image and try to run these files again and see if anything is missing / still contained, if there is, repeat the steps 4 to 6.
There might be a few other methods to use but this might be easier to follow I think.
Best regards,
Ilker
Hi ilker. Believe me i did this and didn’t get a good result. Clients just started screaming at me. I used the file group option. I added the custom application files in one folder and added them to a file group. I excluded it in containment only. It’s working fine. I used your method above for a single executable a while back and it worked. But when I tried for multiple executables, I got disappointed. I’m quite sure it was a config issue from client end. But all the same, white listing large number of executables works when you add them to a folder and then to a file group and then exclude it from containment only. Thank you ilker!
Oh and one more thing. If you insist on white listing on a files basis I.e rating each file as trusted, I also love this approach and I know it’s more secure. But here we have over a hundred exes, DLLs, jars, and bats altogether. But in console, it allows us to put in one file path at a time. This is very tedious and complicated for a whole lot of executables. I believe there should be a way to add multiple file paths at a time to save time and energy. Thanks once again Jay, Carl and ilker!
Hello @chales ,
It is really white listing the whole path.
For your convenience, I`ll be creating a support ticket for this,
we will further investigate the concern and we will check
if there are other ways/approach that fits exactly on what you need.
Thank you.
Was a solution found to this issue?