Endpoint Protection

I thought this would be an easy task but apparently I'm missing something.  
So I have a client that is getting a stupid amount of false positives for only a few computers, and these happen to be ones running Acronis cyber protect (actually it's True Image, but apparently the folder structure is "cyber protect" oriented, which is their business product).  
I just want to whitelist this Acronis exe so I can shut this alerting up.  However, when you dig into the details via Alerts and the Investigate tab, it will allow me to whitelist the ":artifact", which in this case is a file called tmp000771d6, but that's useless as these tmp files change every time.  I need to whitelist to source of this, the c : \ program files \ acronis \ cyberprotect \ cyber-protect-service . exe file.  There appears to be no way to do this.  If I edit the policies I think related to this, they want a file path AND a file hash, but the interface here gives no file hash for the exe file, only the tmp files.  

Kind of a dumb situation and I feel I must be missing something really obvious.  Had no real problem figuring this stuff out in the old SEP Manager days but here in SES cloud console, it's a bit unintuitive.  

Humbly requesting a kick in the pants to help me out here :)

Hi Mixit,

You would do this in the Allow ( formerly called Whitelist) policy.

Thanks,

------------------------------
Jon Kaufman
Strategic Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 02-16-2021 11:07 AM
From: Colin McRae
Subject: How to whitelist a file?

I thought this would be an easy task but apparently I'm missing something.
So I have a client that is getting a stupid amount of false positives for only a few computers, and these happen to be ones running Acronis cyber protect (actually it's True Image, but apparently the folder structure is "cyber protect" oriented, which is their business product).
I just want to whitelist this Acronis exe so I can shut this alerting up.  However, when you dig into the details via Alerts and the Investigate tab, it will allow me to whitelist the ":artifact", which in this case is a file called tmp000771d6, but that's useless as these tmp files change every time.  I need to whitelist to source of this, the c : \ program files \ acronis \ cyberprotect \ cyber-protect-service . exe file.  There appears to be no way to do this.  If I edit the policies I think related to this, they want a file path AND a file hash, but the interface here gives no file hash for the exe file, only the tmp files.

Kind of a dumb situation and I feel I must be missing something really obvious.  Had no real problem figuring this stuff out in the old SEP Manager days but here in SES cloud console, it's a bit unintuitive.

Humbly requesting a kick in the pants to help me out here :)

I must have somehow just replied directly to Jon, but in any case, if one goes to Policies > Default WhiteList Policy (make sure not to get the SEP 14 one), you can do things directly there.  I had somehow ended up in a different page for editting policies, which would only allow me to upgrade a list file, and ont directly enter a file path.  

Here's some info for anyone needing to learn more: 

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Protection/adding-whitelist-policy-scan-exceptions-v120715667-d4155e23989.html
Original Message:
Sent: 02-17-2021 05:41 PM
From: Jon Kaufman
Subject: How to whitelist a file?

Hi Mixit,

You would do this in the Allow ( formerly called Whitelist) policy.

Thanks,

------------------------------
Jon Kaufman
Strategic Support Engineer
Broadcom

Original Message:
Sent: 02-16-2021 11:07 AM
From: Colin McRae
Subject: How to whitelist a file?

I thought this would be an easy task but apparently I'm missing something.
So I have a client that is getting a stupid amount of false positives for only a few computers, and these happen to be ones running Acronis cyber protect (actually it's True Image, but apparently the folder structure is "cyber protect" oriented, which is their business product).
I just want to whitelist this Acronis exe so I can shut this alerting up.  However, when you dig into the details via Alerts and the Investigate tab, it will allow me to whitelist the ":artifact", which in this case is a file called tmp000771d6, but that's useless as these tmp files change every time.  I need to whitelist to source of this, the c : \ program files \ acronis \ cyberprotect \ cyber-protect-service . exe file.  There appears to be no way to do this.  If I edit the policies I think related to this, they want a file path AND a file hash, but the interface here gives no file hash for the exe file, only the tmp files.

Kind of a dumb situation and I feel I must be missing something really obvious.  Had no real problem figuring this stuff out in the old SEP Manager days but here in SES cloud console, it's a bit unintuitive.

Humbly requesting a kick in the pants to help me out here :)