To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

How to stop RMM software from causing Scripting Abuse or Abnormal Process Execution notifications?

Options
RefreshInternal
RefreshInternal W/ Member Posts: 26 Security Scout

I run powershell scripts from my RMM software agent to manage endpoints. Every time I run a script, I get a Scripting Abuse or Abnormal Process Execution notification. How can I whitelist the RMM agent on the endpoint to stop these false positives?

Best Answer

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 522 Moderator
    Options

    Hi, can you let me know if the Command lines change ?

    If not you can try the below steps.

    To whitelist a file directly, complete the following:

    1. Log in to the Elements Security Center at here
    2. Select the Endpoint Detection and Response section in the leftmost navigation bar in Elements Security Center.
    3. Go to Detections tab, tick the Broad Context Detections check box.
    4. Click "Update status" option at bottom page.
    5. Select "Closed" from drop down menu, then select reason as "False positive"
    6. Click "Update" option.


    Once you have at least 1 incident that is identical to the incident, and there is no identical incident where status is closed as confirmed, the false positive handling in WithSecure Elements Endpoint Detection and Response (EDR) will close the false-positive automatically.

    Broad context detections can be closed as Auto false positive automatically when they are identical to previously closed false alarms. For WithSecure Elements Endpoint Detection and Response to close a broad context detection as Auto false positive, the following criteria must be met:

    • Incident has to be New / Unconfirmed,
    • you must have closed an identical incident in the same organization as False positive, and
    • no identical incidents in the same organization have been Confirmed.

    More information about automatic handling of incidents can be found here

    In the event that this has been completed multiple times and the file still gets detected, make a whitelist request for the False Positive event as follows:

    1. From the left-hand menu in the WithSecure Elements Endpoint Detection and Response (EDR), click the three dots below Reports and choose Support
    2. Click the link Request whitelisting, this will bring up a support request form
    3. Verify that the following fields are populated correctly: 
      • Problem Category -> Threat/Malware
      • Problem Subcategory -> False Positive
      • Product Group -> For Business
      • Product Name -> Rapid Detection & Response
      • Language -> English
    4. Under Description, provide the Broad Context Detection ID (BCD-ID), a reason for why this content should be whitelisted and the scope (Single host, company level, etc)
    5. Fill in the rest of the required case information. Correct and complete information helps us to identify you and provide you with the proper service level
    6. Click Send to open the support ticket


Answers

This discussion has been closed.