Endpoint Protection Small Business Edition

Hello Community!

I am trying to add an application monitor/exception for a .MSI file but am finding that the Endpoint Protection Manager Console will only monitor executables (.exe) and the exception for .msi that I currently have doesn't seem to work. Is there any way to add an applicaiton to monitor or an exception to a .msi file? What about DLL files?

The reason I am trying to do this, is because I strongly believe I am getting a false positive for an application called SubtitlePlusApp (http://www.subtitleplus.com/splus001/www/index.html). It resides in a users downloads folder during detection (e.g. - C:\Users\%USERNAME%\Downloads\subtitleplusapp.msi)

Any help would be awesome as I am getting tired of all the alerts :p

Thank you!

--

Casey

You can only add .exe files when it comes to the app monitoring feature.

Have you tried setting an exception for the file?

Edit# I understand it now :) 

does that show up under detected list?

Yes I had tried to add a file exception but it didn't work as I was alerted again. 

I didn't have the exact file path listed the first time I tried to create the file exception. Maybe this was the issue? I thought I had read somewhere that if you don't define the file path, it should still work.

It should still work but you can define the path to get more granular.

When you go back into the application to monitor section and select application, it should bring up a list of already detected apps, does this partuclar one show up?

Can you post the screen shot please? Just wanted to see if its blocking the file or the application ( executable) .msi should be treated as an installer.

Negative. The applicaiton does not come up in that list.

That is of course if it has the same name. I also looked at the same location it was detected. Nothing.

Are you seeing anything in the Risk logs to indicate the file is being acted on?

Here is a screenshot of the original detection (in the form of an email to our Helpdesk application):

Here is a screenshot of the Monitor/Exceptions I have created:

It looks like the detection is looking inside a .zip? Would the file need to be extracted first?

In many cases, SEP can extract the file from the zip to scan it.

Has the policy update propagated down to the client?

Heres the risk log:

I really do appreciate your guys' help with this!

I'm not sure what you mean by propogate down to the client. I don't know how to tell if it has or not

On the client if you go to Help >> Troubleshooting, you will see the policy serial number which you can compare to what's in the SEPM

In the SEPM on the client tab, select the group the client is in and select the Details tab at the top. it will show the policy serial number.

Ensure both are matching

They are the same policy serial number

I see this is from the scheduled scan, what happens if you try to run the file in real time? does auto-protect catch it?

It installs perfectly then I get a detection:

I then created an Application to Monitor using st2scc.exe and could not find st2scc.exe in the application list.

I did notice that in the zip file it comes with a setup.exe and SubtitlePlusApp2.msi. I looked through all (theres a lot) of the setup.exe entries in the Application Detection list and none of them appeared relevant.

It may take a little time to show up, depending on how often your clients check in.

How will I know when it works or not? I won't get the alerts anymore? :p

Essentially, yes :)