CruxEight Posted March 19, 2021 Report Share Posted March 19, 2021 I am trying to find a way to load an executable that has be deemed as a trojan (win.dropper.generic::95.sbx.tg). The file is not an issue as it is part of a monitoring server with fresh appliance. Here are the issues. Attempted to exclude the file name, parts of the threat name etc. see screen shot: Tried to find a way to use threat name, but the application will not allow the actual detection name as shown: In the text field for threat name. Tried string escapes for the colon, but the input field won't allow them or the colon. Tried to load the executable on the a DFS share local directory that is replicated to the \\domain name\some location, but the AV will not allow UNC exclusions, so the instant that the file is placed in the local directory it is replicated to the \\domain name\some location and the AV quarantines the file in both locations. Can you please explain how I can whitelist this file? Link to comment Share on other sites More sharing options...
ritchie58 Posted March 20, 2021 Report Share Posted March 20, 2021 You can't use a malware detection name as an exclusion with Immunet. I'm assuming that you already tried to use the Restore feature with no luck. Normally if you add the 'complete & exact file path' for an .exe to the Exclusion list that should work. If I'm understanding you correctly if the .exe is in a different drive or file directory I could see where that might cause problems if the file was flagged as malicious. Is it OCSLOGON.exe included in the screen grab you're referring to? Link to comment Share on other sites More sharing options...
CruxEight Posted March 27, 2021 Author Report Share Posted March 27, 2021 Ritchie58, you are correct. The file name is OCSLOGON.exe. I tried the restore feature, though the application reported success the file was not restored in the directory. Am I looking at the filename exclusion incorrectly? I was expecting that if I excluded the exact filename in the exclusion that this would eliminate that file from being scanned. If my expectation was correct then it would not matter what directory the file was placed, correct? If I am thinking right on filename exclusion, then could this be an issue that is caused because both PDC and BDC are running Immunet and the file ends up in a replicated path for both servers? I was only working on the PDC (where I excluded filename) and where the file is placed in a local directory, but this directory is replicated, which might be caught by the BDC. Maybe? Not sure if this is valid, because the file would get removed on the PDC local directory. Thanks for responding and any ideas on this will be helpful. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now