Best practices for AMP for Endpoint

Exclusions
Contents
Background Information
Understanding Exclusions
Obvious Exclusions
Indistinct Exclusions
Policy Creation
Group Creation
Identifying Exclusions
Using MAC
Using Windows
Sample Scenario:
Writing Exclusions
Path Exclusions
File Extension
Wildcard
Process
Threat
Related Information
Introduction

This document describes the understanding of exclusions, types of configurable exclusions, best
practises to locate and create exclusions on the Cisco Advanced Malware Protection (AMP) for
Endpoints Connectors.

Contributed by Caly Hess, Mathew Huynh and Matthew Franks, Cisco Technical Engineers.

Background Information
Understanding Exclusions

An exclusion set is a list of directories, file extensions, or threat names that you do not want the
AMP for Endpoints Connector to scan or convict. Exclusions are a necessity to ensure balance of
performance and security on a machine when utilizing endpoint protection such as AMP.

Every environment is unique as well as the entity which controls it, varying from stringent to open
policies, where the latter would be classified as a honeypot. As such exclusions being defined
must be uniquely tailored to each situation.

Different exclusions can be categorized in two ways, obvious exclusions and indistinct
exclusions.

Obvious Exclusions

A list of Obvious Exclusions is available here.

(https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-
configure-fireamp-00.html)

Note: It is recommended to contact other Anti-Virus (AV) vendors and request their
recommended exclusions to be added, this ensures the AMP Endpoint connector and AV to
function in tandem also minimize performance impact.

Indistinct Exclusions

It is recommended to create a duplicate policy to avoid business security concerns and

disruptions. After which to identify the Computers with performance issues indicators and separate
them into a group to use this duplicate policy.

Caution: Changes on the dashboard will require time to allow connectors to sync. Please
allow for a heartbeat update or manually sync the policies on the connectors.

Policy Creation

1. AMP for Endpoints Console > Management Tab > Policies

2. Click on + New Policy...
3. Select from the drop-down menu for the operating system.
4. Provide it a meaningful name to allow you to distinguish this policy and description (optional).
5. Select the policy actions to your requirements, use the default exclusions for now.
6. Important In Advanced Settings > Administrative Features, set the Connector log level
to Debug.
7. Click Save to complete the policy creation.

Group Creation

1. AMP for Endpoints Console > Management Tab > Groups

2. Click on Create Group
3. Provide it a meaningful name to allow you to distinguish this group and description (optional).
4. Select the duplicate policy you have created.
5. Click Save to complete the group creation.

Identifying Exclusions
After the duplicate policy and group creation,with the debug log level on the connectors run
the Computers as per normal business operations. Allow time to obtain sufficient connector log
data while programs and processes have been accessed, generate a support diagnostic bundle to
review and identify exclusions.
Guide for creating diagnostic bundles for different operating systems are available:

Windows here (https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-

endpoints/118228-technote-fireamp-00.html)

Linux here (https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/200877-

Collection-of-Diagnostic-Data-from-a-Fir.html)

MAC here (https://www.cisco.com/c/en/us/support/docs/security/fireamp-mac/118365-technote-

fireamp-00.html)

Using MAC

Extract the zipped debug diagnostic bundle.

Within the debug diagnostic bundle's main directory, review the text file namedfileops.txt. Once
you extract the zip, you can find the file in the main directory.

31 /Users/eugene/Library/Cookies/Cookies.binarycookies
24 /Users/eugene/.zhistory
9 /Users/eugene/.vim/.temp/viminfo
9 /Library/Application Support/Apple/ParentalControls/Users/eugene/2018/05/10-usage.data
5 /Users/eugene/Library/Cookies/HSTS.plist
5 /Users/eugene/.vim/.temp/viminfo.tmp
4 /Users/eugene/Library/Metadata/CoreSpotlight/index.spotlightV3/tmp.spotlight.state
3
/Users/eugene/Library/WebKit/com.apple.Safari/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.p
list
3 /Library/Logs/Cisco/supporttool.log
2 /private/var/db/locationd/clients.plist
2 /Users/eugene/Desktop/.DS_Store
2 /Users/eugene/.dropbox/instance1/config.dbx
2 /Users/eugene/.DS_Store
2 /Library/Catacomb/DD94912/biolockout.cat
2 /.fseventsd/000000000029d66b
1 /private/var/db/locationd/.dat.nosync0063.arg4tq

Using Windows

Windows operation system is more complicated, more exclusion options are available due to the
parent and child processes. This indicates that deeper review is required to identify the files which
had been accessed, but also the programs which generated them. The script to identify this
information is available and will require a bash script to execute it.

Extract the zipped debug diagnostic bundle.

Amp_scan_debug_log.sh available as an attachment

here (https://cisco.app.box.com/s/r7k4gym6nghz4aszwhav96hos0cv00mc).

Save it into the folder with the sfc.exe.log.

Run the bash script.

Note: This bash script sorts the data in sfc.exe.log by parents processes and file information.
 To run a bash script on Windows, you can either: Install Cygwinand run the script with
bash.exe, Use Powershell, Run the script from the Windows 10 Bash Shell.

Output from script:

example$ ./amp_scan_debug_log.sh

Printing Parent Info

1 \\?\C:\Windows\System32\RuntimeBroker.exe
2 \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
2 \\?\C:\Windows\System32\LogonUI.exe
2 \\?\C:\Windows\System32\sdiagnhost.exe
3 \\?\C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe
3 \\?\C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
5 \\?\C:\Windows\System32\MpSigStub.exe
6 \\?\C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
7
\\?\C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_9fa3df5e8b646d75\igfxEM.exe
21 \\?\C:\Windows\System32\browser_broker.exe
25 \\?\C:\Program Files (x86)\Internet Explorer\iexplore.exe
43 \\?\C:\Windows\System32\taskhostw.exe
93 \\?\C:\Program Files\internet explorer\iexplore.exe
105 \\?\C:\Program Files\JetBrains\IntelliJ IDEA 2017.2\bin\idea64.exe
110 \\?\C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
148 \\?\C:\Windows\System32\cleanmgr.exe
194 \\?\C:\Program Files (x86)\HP\Discovery Agent\Plugins\usage\discusge.exe
207 \\?\C:\Windows\System32\SettingSyncHost.exe
507 \\?\C:\Windows\System32\svchost.exe
1351 \\?\C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
1758 \\?\C:\Windows\System32\lsass.exe

Printing File Info

1 \\?\C:\Program
Files\WindowsApps\Microsoft.WindowsStore_11807.1001.13.0_neutral_split.scale-
100_8wekyb3d8bbwe\AppxBlockMap.xml
1 \\?\C:\Program
Files\WindowsApps\Microsoft.WindowsStore_11807.1001.13.0_neutral_split.scale-
100_8wekyb3d8bbwe\AppxManifest.xml
27 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\FE76E80DC31D6DC9531F946E943BA219
27 \\?\C:\Users\ted\AppData\Local\Microsoft\Windows\WebCache\V01.chk
29 \\?\C:\Users\ted\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlUws.store_new
31 \\?\C:\Users\ted\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new
31 \\?\C:\Users\ted\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new
31 \\?\C:\Windows\System32\config\netlogon.ftl
32 \\?\C:\Users\ted\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new
32 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\82ACCE43A77D87451DAB381D8DF4BD3D
42 \\?\C:\Users\ted\AppData\Local\Temp\Olktmp02.png
51 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\C282DC37FE33414EE328DF5C27FB0792
54 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\9228A548A8DA5485AC8C71DF085A8410
69 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\3D9A580908EF3A82ACE238B296519E7A
71 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\73DC14E3D2972B12EEE305E8EC5D45AE
73 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\96A08987E61B86D5D5E86F85B6717643
73 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\98F4231D44169E77A025A9E42E895FF8
73 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\9AF6AB3F44CF595F5BD1613BC8369953
73 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\B88B81B92F70C9265A16E73A2CF57A22
73 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\CAA00632F823A9C9FA80569E0C9D57ED
73 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\E1F242D990795AA489785110BF604A08
98 \\?\C:\Users\ted\.IntelliJIdea2017.2\config\idea.key
105 \\?\C:\Windows\System32\sru\SRU.chk
 128 \\?\C:\Users\ted\AppData\Local\Microsoft\Windows\Themes\Custom.theme
191 \\?\C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Hewlett-Packard\Universal
Discovery\Data\disckpnt.bin_tmp
196 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\7C3DECEB0838921F36BFD32E8DA02EEC
197 \\?\C:\Users\ted\AppData\Local\Microsoft\Credentials\584E0E1951F88C7F979A9415EA6BD580
With the outputs of the diagnostic bundle reviewed, Identify the busiest, most accessed file. Verify
their validity to your business environment and vulnerability to external environments. Ensure you
are aware of the files and processes possible vulnerabilities if any exist.

Sample Scenario:

Review the Windows sample output. Ted's Computer is accessing Microsoft Credentials
frequently. Research on this folder finds that excluding this Credentials folder does not produce a
security risk. However is there a better option than
excluding C:\Users\*\AppData\Local\Microsoft\Credentials\ as a wildcard ?

Consider what Parent Process is spawning all of these Credential checks. With investigation,
identification of which process spawns these folders is determined to be lsass.exe. Additionally
this folder is created when computers are accessing each other on the network. This computer is
accessed often in the network, this leads to a high access rate on the Parent Process Isass.exe
as well.

lsass.exe is found to be the source of a lot of high CPU issues but might not be the cause of this
one. Malware assuming the name of lsass.exe is common, but process exclusions are written to
fit the exact path or the exact hash specified. Unless your network is already compromised, it is
likely that the C:\Windows\System32\lsass.exe is is the real process.

As a test, Add exact: C:\Windows\System32\lsass.exe as a process exclusion and monitor

CPU usage. CPU usage may drop after this configuration change and correct the issue, if there is
no change in behaviour continued investigation is required.

This is where identifying the parent process is required. Allowing admins to focus on the cause,
not the symptoms.

In this example, let's say the Ted provides more specific information: Massive slow down
on Adobe based applications when first loading. Indicating the Isass.exe would not be related
to the CPU issues and provides a scope use to investigate the sample output. Adobe specific
entries in the output indicates:

C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe

C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe
With research into these processes, AdobeGCClient.exe is a license checker. It initiates when
Adobe starts up to check if the license is valid and then checks again as updates or plugins are
dealt with. However, this is does check against the cloud and when it initiates the network
component, AMP will delay it to check the validity of the connection before releasing it. Some
programs are hypersensitive and a few millisecond delay can cause a major CPU load issue.
Exclude these programs and test.

Writing Exclusions

Caution: Always understand the files and processes before writing an exclusion to avoid
 security vulnerabilities to the computer.

Note: Additional details available in the User Guide, Review Chapter 3 Here. This chapter
covers the types of exclusions, implementation, and navigation of our portal.

This section covers the best practices of writing exclusions for your environment.

Path Exclusions

Note: Path Exclusions are recursive and will exclude all sub-directories as well.

These exclusions are the most frequently used, application conflicts typically involve excluding a
directory. Create a path exclusion using an absolute path or the CSIDL.

For example, to exclude an antivirus application in the Program Files directory, the exclusion path
would be either:

C:\Program Files\MyAntivirusAppDirectory
CSIDL_PROGRAM_FILES\MyAntivirusAppDirectory
Without a trailing slash, Windows connector will do a partial match on paths. Mac and Linux
will not.

Example with a path exclusion of C:\test and C:\Program Files.

C:\test will be excluded, as will C:\test123.

C:\Program Files and C:\Program Files (x86) be excluded.

Changing the exclusion from C:\test to C:\test\ will stop C:\test123 from being excluded.

File Extension

Note: Standard exclusions are available in the default list, it is not recommended to delete
these exclusions, doing so may cause performance change on your computers.

These exclusions allows exclusion of all files with a certain extension.

Key points:

● Expected input on the connector side is .extension

● The Dashboard automatically prepends a period to the file extension if none was added.
● Extensions are not case sensitive.
For example, to exclude all Microsoft Access database files by creating the following exclusion:

.MDB

Wildcard
 Caution: Wildcard Exclusion do not stop at path separators, this can lead to unintended
exclusions. Example: C:*\test will exclude C:\sample\test as well as
C:\1\2\3\4\5\6\test123

These exclusions are the same as path or extension exclusions except using asterisk(*) character
triggers as a wild card.

For example, exclude virtual machines on a MAC from being scanned, enter this path exclusion:

/Users/johndoe/Documents/Virtual Machines/
This exclusion will only work for johndoe, to allow multiple user matches, replace the username in
the path with an asterisk(*) to a wildcard exclusion:

/Users/*/Documents/Virtual Machines/
Writing an exclusion for paths which exists in separate drive.

Example: C:\testpath and D:\testpath will be:

*\testpath

Note: Using *\testpath will exclude: C:\testpath and D:\testpath, as well as

C:\directory\testpath and D:\directory\subdirectory\testpath

Process
Process Exclusions allows admins to exclude running processes from normal File Scans (AMP for Endpoints Windows Connector version 5.1.1 and later),
System Process Protection (Connector version 6.0.5 and later), or Malicious Activity Protection (Connector version 6.1.5 and later).

Process exclusion is done by either: specifying the full path to the process executable, the SHA-256 value of the process executable, or both the path and the
SHA-256. Paths will allow both direct path or use a CSIDL value.

Caution: Child processes created by an excluded process are not included in the exclusion
by default. Example: Process exclusion for MS Word, by default any additional processes
created will not be excluded and be scanned. To include additional processes, click the
checkbox Apply for Child Processes.

Note: Specifying both Path and SHA-256 will require both conditions to be met to exclude
the process.

Limitations:

● If the file size of the process is greater than the maximum scan file size set in your policy, then the SHA-256 of the process will not be computed and

the exclusion will not work. Use a path-based process exclusion for files larger than the maximum scan file size.
● Connector versions earlier than 5.x.x - will not support process exclusions
● Connector versions 5.x.x to 6.0.3 - a limit of 25 process exclusions across all process
exclusion type.
● Connector versions 6.0.5+ - limit of 100 process exclusions across all process exclusion
types.
 ● The connector will only honor the process exclusions up to the limit, from the top of the
process exclusions list in policy.xml.
● Every policy has a process exclusion for sfc.exe, which counts against the limit.

<item>3|0||CSIDL_AMP_VERSION\sfc.exe|48|</item>

Threat

Warning: Do not exclude threats unless investigation and confirmation into the threat name
is deemed to be false positive. Using threats which are excluded will no longer populate in
events tab for review and audit.

These exclusions allows a particular threat name to be excluded from triggering events. Threat
exclusion should only be used when the scan result triggers false-positive detection and confirmed
that they are not an actual threat.

Text box to add a threat exclusion is not case sensitive. Example: W32.Zombies.NotAVirus
or w32.zombies.notavirus will both match the same threat name.

Related Information
● Technical Support & Documentation - Cisco Systems
● Cisco AMP for Endpoints - TechNotes
● Cisco AMP for Endpoints - User Guide