EDR granular exclusions (example: vssadmin.exe
Hi,
we get a lot of "incidents" regarding "vssadmin.exe". The incidents are triggered by a task through our RMM.
The Task does on a regular basis:
- Delete a vss snapshot (yesterday)
- Create a vss snapshot (today)
The relevant part of the problem shows up here:
For sure, I won't create an exclusion for "vssadmin.exe".
Also excluding "C:\Windows\System32\vssadmin.exe" delete shadows /Shadow={184D3A2D-026A-4DEC-B1D4-0C8BF8BF3337} /quiet
won't be a good idea, because I had to use some kind of wildcard for "{184D3A2D-026A-4DEC-B1D4-0C8BF8BF3337}".
Any ideas, how to create some kind of exclusion for that case or how to handle these events?
Best regards,
Daniel
Answers
-
Hello Daniel,
The suggestion that I can provide based on the information shared is to check if any of the exclusion criteria from Incidents → Custom Exclusion Rules can be used. This document provides more details on how to set up this type of exclusion:
If you need further assistance please open a case with our Enterprise Support team and we explore other solutions as well.
Kind Regards,Andrei
0 -
Hello Andrei,
thanks for your ideas. i already checked the custom exclusion rules, but the syntax for my case is totaly unclear for me.
I need some kind of rule that does this:
IF [postprocess2] = tacticalrmm.exe AND [postprocess1] = powershell.exe AND [process] = vssadmin.exe and [commandline] CONTAINS ""C:\Windows\System32\vssadmin.exe" delete shadows /Shadow={*} /quiet" THEN EXCLUDE from SCAN/WARNINGI also already contacted support in first place, but the case did not lead to something, so this is my second atempt to find a solution - maybe with support of the enterprise community.
I can not believe, that's we are the only MSP facing this case. Any further concrete ideas are very welcome.
Thanks in advance, best regards,
Daniel0 -
@DaCap from what I checked in our CRM, it could only find a case where you reported an issue about not able to add an exclusion on EDR, if you can share the case with me so I can double check what was investigated that would be helpful.
You can provide the case number in private.
Kind Regards,
Andrei
1 -
Hello Andrei,
I have no case number, i could find quickly. I just can tell you, the result was: No solution.
But as you mentioned custom exclusion rules, I would like to stick on that and my question posted above.
Do you have any ideas regarding my question?
Best regards,
Daniel0 -
Hello,
To create the exclusion with the IF and THEN clauses its not possible but we would need to see if there is another way to make use of the available options from the custom exclusions. For example, making some exclusions based on path (as you initially mentioned that the task is to delete and create vss snapshots).
The reason I asked for the case number was to understand what the engineer tried to do and what solution did he offer in this case.
I cannot promise I will come back with a solution exactly as you need it but I will do more research on this internally and get back to you.
Kind Regards,
Andrei
0 -
Hello Andrei,
"I cannot promise I will come back with a solution exactly as you need it but I will do more research on this internally and get back to you."
I don't expect that, so - no pressure. ;-)
I just would appreciate, if we could (maybe(!) find a solution or get near to it.
This topic is very interesting (at least for me), so let's elaborate.If you have some concrete examples of exclusions, please let me know - the KB article is not very extensive.
I have a lot experience with enterprise security solutions, but this does not help me in this case, because I am struggling with the syntax (how to fill in the fields). The logic I need is totaly clear - but this does not help here.
Thanks in advance,
Daniel0 -
Hello @DaCap ,
After discussing internally you can try one of the following:
- Create a set of exclusions for the process and the command line:
Try and see if this works.
- Or use the Contains operator with the command line "C:\Windows\System32\vssadmin.exe" delete shadows /Shadow=" without any ID after it.
- A third option and more simplistic is to test by excluding the Tacticalrmm.exe as a process.
Hope this helps.
Kind Regards,
Andrei
1 - Create a set of exclusions for the process and the command line:
-
Thanks Andrei!
I will try this and will leave feedback as soon as I could test.Best regards,
Daniel1 -
Hello again,
as I'm now in holidays, I will need time for further testing.
Thanks again, my next feedback will take at least some weeks(!). Just to let you know.Best regards,
Daniel0
