Wednesday, February 13, 2013 3:45 PM
I need to exclude a program called Angry IP from detection and am having trouble.
We have at least a dozen people in our organization who run it, specifically version 221. The file name is ipscan221.exe. It is detected as the following:
Malware Name: Tool:Win32/Angryscan.A. - Link for more info: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Tool%3aWin32%2fAngryscan.A&threatid=140376
I understand why it’s being blocked but this is a tool that we have used for years and it has its uses.
I have experimented with a variety of syntax under all three Exclusion settings with no success.
Specifically I’ve set the exclusions as listed below.
Excluded files and locations: C:\*ipscan221.exe, ipscan.exe, ipscan221.exe
Excluded file types: ipscan221.exe
Excluded process: ipscan.exe, ipscan221.exe
I’ve noticed that the Beta version is not detected, but I’m concerned that if it’s this difficult to exclude this simple exe, what else is going to give me headaches rolling out this product.
I have seen similar questions posted with no direct answer.
- Edited by rshader Wednesday, February 13, 2013 3:46 PM
Thursday, February 14, 2013 2:52 PMInstead of excluding it on a file level, try setting an override for the threat name. In your FEP policy, go to the overrides section and in the threat name box, put Tool:Win32/Angryscan.A and set the action to allow.
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Editor Monday, February 18, 2013 3:01 PM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Editor Thursday, March 07, 2013 8:02 AM
- Unmarked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Editor Thursday, March 07, 2013 8:02 AM
Thursday, February 14, 2013 6:27 PM
That's a great idea. I'll try it and let you know.
Monday, February 18, 2013 4:24 PM
As promising as this sounded, I just received a quarantine when accessing the software on a network share.
I have it set in Threat Overides as described. Not sure what I could be doing wrong. It's pretty straight forward. This is frustrating.
Monday, February 18, 2013 4:32 PM
Can you check the registry on the system where you received the quarantine notice and make sure the following value exists?
If it does not exist, the policy isn't applying correctly. You can create the value manually and retry accessing the network share.
Monday, February 18, 2013 6:59 PM
First of all, thanks for the quick reply.
It seems my policy, apparently, isn't applying correctly, because I'm not seeing the value you suggested (which I'm not sure why that wouldn't be showing in the registry, as I see everything else from my policy in the .. ie: scheduled scan, scan settings, exclusions that I tried for ipscan221, etc..).
After seeing that, I tried creating the value manually. First thing I had to do was push the perms down through, which I found odd because I'm able to modify other areas of the registry. I created the value per your suggestion but am still getting a quarantine.
Here's a screenshot to be sure I understood your post.
Monday, February 18, 2013 7:28 PM
That setting is correct, except that it needs to be under the Policies node:
Once you set it, you can go into the Endpoint Protection client UI -> History tab -> Allowed Items -> View Details and the overridden item should be listed there.
Monday, February 18, 2013 8:50 PM
My bad. The Policies part was a rookie mistake. I should have noticed that. Sorry.
Anyway, I set the reg value as you described. It took a reboot, but I can now run the ipscan221.exe.
Now I have to wonder why my policy is not applying for the Threat Override. That part is very weird because I do see the exclusions in the registry. On to that issue I guess..