Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Trouble excluding a particular exe in FEP Scans

Answered Trouble excluding a particular exe in FEP Scans

  • Wednesday, February 13, 2013 3:45 PM
     
     
    Sign In to Vote
    0

    I need to exclude a program called Angry IP from detection and am having trouble.

    We have at least a dozen people in our organization who run it, specifically version 221. The file name is ipscan221.exe. It is detected as the following:

    Malware Name: Tool:Win32/Angryscan.A. - Link for more info: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Tool%3aWin32%2fAngryscan.A&threatid=140376

    I understand why it’s being blocked but this is a tool that we have used for years and it has its uses.

    I have experimented with a variety of syntax under all three Exclusion settings with no success.

    Specifically I’ve set the exclusions as listed below.

    Excluded files and locations: C:\*ipscan221.exe, ipscan.exe, ipscan221.exe

    Excluded file types: ipscan221.exe

    Excluded process: ipscan.exe, ipscan221.exe

    I’ve noticed that the Beta version is not detected, but I’m concerned that if it’s this difficult to exclude this simple exe, what else is going to give me headaches rolling out this product.

    I have seen similar questions posted with no direct answer.

    Russ


    • Edited by rshader Wednesday, February 13, 2013 3:46 PM
    •  
     

All Replies

  • Thursday, February 14, 2013 2:52 PM
     
     Proposed Answer
    Sign In to Vote
    0
    Instead of excluding it on a file level, try setting an override for the threat name. In your FEP policy, go to the overrides section and in the threat name box, put Tool:Win32/Angryscan.A and set the action to allow.
     
  • Thursday, February 14, 2013 6:27 PM
     
     
    Sign In to Vote
    0

    That's a great idea. I'll try it and let you know.

    Thanks

    Russ

     
  • Monday, February 18, 2013 4:24 PM
     
     
    Sign In to Vote
    0

    As promising as this sounded, I just received a quarantine when accessing the software on a network share.

    I have it set in Threat Overides as described. Not sure what I could be doing wrong. It's pretty straight forward. This is frustrating.

    Russ

     
  • Monday, February 18, 2013 4:32 PM
     
     Answered
    Sign In to Vote
    0

    Can you check the registry on the system where you received the quarantine notice and make sure the following value exists?

    HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction

    Name: 140376

    Type: REG_DWORD

    Data: 6

    If it does not exist, the policy isn't applying correctly. You can create the value manually and retry accessing the network share.



    • Edited by KevinMJohnston Monday, February 18, 2013 4:32 PM
    • Edited by KevinMJohnston Monday, February 18, 2013 4:32 PM
    • Marked As Answer by rshader Monday, February 18, 2013 8:52 PM
    •  
     
  • Monday, February 18, 2013 6:59 PM
     
     
    Sign In to Vote
    0

    Kevin,

    First of all, thanks for the quick reply.

    It seems my policy, apparently, isn't applying correctly, because I'm not seeing the value you suggested (which I'm not sure why that wouldn't be showing in the registry, as I see everything else from my policy in the .. ie: scheduled scan, scan settings, exclusions that I tried for ipscan221, etc..).

    After seeing that, I tried creating the value manually. First thing I had to do was push the perms down through, which I found odd because I'm able to modify other areas of the registry. I created the value per your suggestion but am still getting a quarantine.

    Here's a screenshot to be sure I understood your post.

    Russ

     
  • Monday, February 18, 2013 7:28 PM
     
     
    Sign In to Vote
    0

    That setting is correct, except that it needs to be under the Policies node:

    HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction

    Once you set it, you can go into the Endpoint Protection client UI -> History tab -> Allowed Items -> View Details and the overridden item should be listed there.

     
  • Monday, February 18, 2013 8:50 PM
     
     
    Sign In to Vote
    0

    My bad. The Policies part was a rookie mistake. I should have noticed that. Sorry.

    Anyway, I set the reg value as you described. It took a reboot, but I can now run the ipscan221.exe.

    Awesome. Thanks.

    Now I have to wonder why my policy is not applying for the Threat Override. That part is very weird because I do see the exclusions in the registry. On to that issue I guess..

    Russ

    Russ