Jump to content

Recommended Posts

I am trying to find a way to load an executable that has be deemed as a trojan (win.dropper.generic::95.sbx.tg). The file is not an issue as it is part of a monitoring server with fresh appliance. Here are the issues. Attempted to exclude the file name,  parts of the threat name etc. see screen shot:

image.png.ffb57a7d232b7a9fcfbbf209baf57588.png

Tried to find a way to use threat name, but the application will not allow the actual detection name as shown:

image.png.dfaebe88e0652e887b7a6887dc703244.png

In the text field for threat name.  Tried string escapes for the colon, but the input field won't allow them or the colon.

Tried to load the executable on the a DFS share local directory that is replicated to the \\domain name\some location, but the AV will not allow UNC exclusions, so the instant that the file is placed in the local directory it is replicated to the \\domain name\some location and the AV quarantines the file in both locations.

Can you please explain how I can whitelist this file?

Share this post


Link to post
Share on other sites

You can't use a malware detection name as an exclusion with Immunet. I'm assuming that you already tried to use the Restore feature with no luck.

Normally if you add the 'complete & exact file path' for an .exe to the Exclusion list that should work. If I'm understanding you correctly if the .exe is in a different drive or file directory I could see where that might cause problems if the file was flagged as malicious.

 Is it OCSLOGON.exe included in the screen grab you're referring to?

Share this post


Link to post
Share on other sites

Ritchie58, you are correct. The file name is OCSLOGON.exe.  I tried the restore feature, though the application reported success the file was not restored in the directory. Am I looking at the filename exclusion incorrectly? I was expecting that if I excluded the exact filename in the exclusion that this would eliminate that file from being scanned. If my expectation was correct then it would not matter what directory the file was placed, correct? If I am thinking right on filename exclusion, then could this be an issue that is caused because both PDC and BDC are running Immunet and the file ends up in a replicated path for both servers?  I was only working on the PDC (where I excluded filename) and where the file is placed in a local directory, but this directory is replicated, which might be caught by the BDC. Maybe?  Not sure if this is valid, because the file would get removed on the PDC local directory. Thanks for responding and any ideas on this will be helpful.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...