You receive many Incidents and the Allow list is ignored

book

Article ID: 224702

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You are receiving many Incidents from advanced threat types that have legitimate processes. You are trying to whitelist a process via the Allow list, but nothing seems to work to stop these Incidents from being created.

Cause

Allow and Deny policies in SEDR build the MD5 blacklist or whitelist fingerprint lists on the Symantec Endpoint Manager MD5 whitelist or blacklist. These are used to immediately quarantine a file when scanned, or cause a specific MD5 to not raise a conviction where SEP is making reputation lookups. In this case EDR is acting as the File reputation server for Allow/Deny or assisting the reputation lookup for the SEP domain.

Allow lists will not affect SONAR events being sent to EDR and then creating Incidents.

Behavioural exploits often use multiple legitimate trusted files in combinations. Hash based file reputation is a completely separate security layer that ignores Allow policies.

Environment

Release : 4.6.0

Component: Policies, Incidents

Resolution

Whilst you may turn off EAR for groups, switch off event sources or disable the specific Incident rule, these methods are too broad and cannot be customised. There are two main methods for controlling Incident creation where the the source is a SONAR event:

  • From version 4.6 of EDR, if the event ID is one listed in the drop down of the Recorder Policy (8000 number event) then you can Create a Recorder Policy

  • If there is an unsupported Process ID (eg 4xxx event id), over 200 rules, or the SEP client versions are beneath 14.3 RU1, then manage SONAR via the SEPM by using the Managing SONAR documentation.