Does Anyone happen to have a "Key" for what the fields for exclusions in the policy xml means?
For instance here is what I think I can figure out from making Windows process exclusions:
File Scan Exclusion(2,3)|Has Hash(0,1)|Hash Value|Path|Exclusion Type(0,1,4,12,16,48)
File Scan Exclusion
2 = True
3 = FALSE
0 = False
1 = True
0 = File scan w/o Child Processes
1 = File scan w/ Child Processes
4 = System Process w/o Child Processes
12 = System Process w/ Child Processes
16 = Malicous Activity w/o Child Processes
48 = Malicous Activity w/ Child Processes
WINDOWS Process Exclusions
01 File scan - hash only - no child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000001||0|</item>
02 File scan - hash only - with child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000002||1|</item>
03 File scan - hash & path - no child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000003|c:\Path\03|0|</item>
04 File scan - hash & path - with child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000004|c:\Path\04|1|</item>
05 File scan - path only - no child process <item>2|0||c:\Path\05|0|</item>
06 File scan - path only - with child process <item>2|0||c:\Path\06|1|</item>
11 Malicous Activity - hash only - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000011||16|</item>
12 Malicous Activity - hash only - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000012||48|</item>
13 Malicous Activity - hash & path - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000013|c:\Path\13|16|</item>
14 Malicous Activity - hash & path - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000014|c:\Path\14|48|</item>
15 Malicous Activity - path only - no child process <item>3|0||c:\Path\15|16|</item>
16 Malicous Activity - path only - with child process <item>3|0||c:\Path\16|48|</item>
21 System Process - hash only - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000021||4|</item>
22 System Process - hash only - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000022||12|</item>
23 System Process - hash & path - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000023|c:\Path\23|4|</item>
24 System Process - hash & path - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000024|c:\Path\24|12|</item>
25 System Process - path only - no child process <item>3|0||c:\Path\25|4|</item>
26 System Process - path only - with child process <item>3|0||c:\Path\26|12|</item>
Here is the more final version of my AMP Exclusion Stats code. DocStrings have been updated, requirements.in and requirements.txt files have been added, README.md has been added, and the main portion of the code has been optimized to use 10 work threads to speed up the scripts execution (hurray for multi-threaded Python scripts).
Having done that I am thinking about writing a script that could parse through multiple sfc.exe.log from several computers with the same policy and provide a count for the number of times each exclusion listed in the policy.xml file has been used.
Hi, Since the AMP connector update to 188.8.131.5233 the Diag_Analyzer_v1_03.exe has stopped creating the Summary file.
I logged a ticket with Cisco TAC support but they tell me that it is outside of TAC scope of support.
I was using Diag_Analyzer_v1_03.exe to identify exclusions that I needed to create during our AMP rollout to servers.
Now I am stuck because the tool doesn't work and Cisco say they don't support it.
What does everyone else do when rolling out AMP for the first time to servers.
I have an Audit policy applied to the servers currently, but it seems like I am stuck at this point because I can't move them to a protect policy as we have had several incidents where lack of exclusions has caused processes to hang.
Does anyone have any advise?