I thought this would be an easy task but apparently I'm missing something.
So I have a client that is getting a stupid amount of false positives for only a few computers, and these happen to be ones running Acronis cyber protect (actually it's True Image, but apparently the folder structure is "cyber protect" oriented, which is their business product).
I just want to whitelist this Acronis exe so I can shut this alerting up. However, when you dig into the details via Alerts and the Investigate tab, it will allow me to whitelist the ":artifact", which in this case is a file called tmp000771d6, but that's useless as these tmp files change every time. I need to whitelist to source of this, the c : \ program files \ acronis \ cyberprotect \ cyber-protect-service . exe file. There appears to be no way to do this. If I edit the policies I think related to this, they want a file path AND a file hash, but the interface here gives no file hash for the exe file, only the tmp files.
Kind of a dumb situation and I feel I must be missing something really obvious. Had no real problem figuring this stuff out in the old SEP Manager days but here in SES cloud console, it's a bit unintuitive.
Humbly requesting a kick in the pants to help me out here :)