So we are just getting started with protect and have it in notify only mode. some of our devs create a cross platform toolchain which creates a disk image and mounts it to /Volumes/XXXX when they run make from their script all hell breaks loose with alerts about 'hidden script running on external volume' which is great but also a false positive. we want to keep the alert but white list the volume if its named something like TESTING..
Any suggestions ?
Hi @mhjor70
You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.
Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3
Hopefully this helps a bit!
Thijs
Hi @mhjor70
You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.
Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3
Hopefully this helps a bit!
Thijs
Hey @mhjor70 Just curious if you managed to create a custom Analytic to avoid false positives!
Cheers
Thijs
So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.
So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.
@mhjor70
In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.
https://community.jamf.com/t5/jamf-protect/jamf-protect-beta/td-p/249294
Cheers,
Thijs
@mhjor70
In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.
https://community.jamf.com/t5/jamf-protect/jamf-protect-beta/td-p/249294
Cheers,
Thijs
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.