we are in the process of adding more than 75 hash as MD5 to the ENS access protection, however after the list were added, the alerts in the dashboard started to pop-up, none relate to the blacklis added.
so we verify and validate all those hash in the alerts and found those are ranked as a false positive. we added a white list to the to the accessprotection to excluse some of those hashes, and still those alerts are showing up in the dashboard of the epo.
are this are misconfiguration or we trigger any other rule?
help is appreciate
Hi @jespinoza18 (Jose),
Thank you for reporting the issue. Can you kindly check the timestamp of these events in ePO and confirm they are newer alerts? (Time stamp of Event generated time)
Also Can you confirm from the specific endpoint by opening the client UI and verifying that the events are being generated?
Can you help us with a sample event description along with a screenshot here?
Also it would be helpful to look into the corresponding MD5 exclusion you have added as well!
the hash alert is very repetive, over and over again, the same source hash from the cscript.exe :
Source Process Hash: b073f18d23be85799a640147af9aba99
and the process is:
Threat Target File Path: C:\Windows\Temp\invBF57_tmp\Sierra_multiPNP\Sierra_Inv.vbs
we include the source hash in a white list in the access protection and a lot of alerts as a blocked appears on the dashboard still even today.
again we are missing something?
What exactly have you added as an exclusion. ENS can only exclude based on SOURCE and not TARGET.
From what I see, you've created a rule entry to include these exclusions, this is not needed and won't work. Are you trying to add these hashes as exclusions from all rules? If yes, then you need to put them outside of each singular rule - on your second screenshot you see this at the top of the page.
However if you are adding these to 1 specific rule, and are adding them as you are, then you need to remove the hash from the file name/ path field. If you add a file name + a hash, it needs to meet both of these criteria to be allowed.