SEPM application exception with SHA256 hash not working

book

Article ID: 210964

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

Created an application exception for Microsoft SCOM custom .msi package in SEPM using the SHA256 hash and my client is still detecting WS.Reputation1 risk.

Cause

The SEP client is enrolled with EDR appliance.

While enrolled, the SEP client performs Insight file reputation lookups by connecting to EDR appliance and sending the hash of the file to check.

If EDR finds the hash has an Allow policy entry, it sends a high reputation value response to SEP client.

If EDR finds the hash has a Block policy entry, it sends a very low reputation to the SEP client.

If EDR does not find either a Block or Allow policy entry, it checks its local Insight cache.

If EDR has an existing reputation entry for a hash, it sends that onto the SEP client.

If EDR has no existing reputation hash entry, it queries the global Insight reputation servers of BROADCOM and forwards the resulting reputation to the SEP client.

When EDR appliance replied with very low reputation for that file, SEP client marks the file as "WS.Reputation.1"

Environment

The SEP client is enrolled with EDR appliance.

Resolution

Rather than an application exception, use an Allow entry within EDR to send a high file reputation back to the SEP client.

Additional Information

For information on how SEP works with WS.Reputation.1 detections and without EDR appliance, see:

https://community.norton.com/en/forums/clarification-wsreputation1-detection