So we are just getting started with protect and have it in notify only mode. some of our devs create a cross platform toolchain which creates a disk image and mounts it to /Volumes/XXXX when they run make from their script all hell breaks loose with alerts about 'hidden script running on external volume' which is great but also a false positive. we want to keep the alert but white list the volume if its named something like TESTING.. Any suggestions ?

Whitelisting an app to prevent notification storm

+19

ThijsX
Employee
369 replies
Forum|Forum|4 years ago
October 19, 2021

Hi @mhjor70

You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.

Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3

Hopefully this helps a bit!
Thijs

M

+3

mhjor70
Author
New Contributor
4 replies
Forum|Forum|4 years ago
October 19, 2021

Hi @mhjor70

You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.

Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3

Hopefully this helps a bit!
Thijs

Thanks I will try this and report back

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691

+19

ThijsX
Employee
369 replies
Forum|Forum|4 years ago
October 27, 2021

Thanks I will try this and report back

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691

Hey @mhjor70 Just curious if you managed to create a custom Analytic to avoid false positives!

Cheers

Thijs

M

+3

mhjor70
Author
New Contributor
4 replies
Forum|Forum|4 years ago
October 27, 2021

So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.

+19

ThijsX
Employee
369 replies
Forum|Forum|4 years ago
November 11, 2021

So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.

@mhjor70

In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.

https://community.jamf.com/t5/jamf-protect/jamf-protect-beta/td-p/249294

Cheers,

Thijs

M

+3

mhjor70
Author
New Contributor
4 replies
Forum|Forum|4 years ago
November 11, 2021

@mhjor70

In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.

https://community.jamf.com/t5/jamf-protect/jamf-protect-beta/td-p/249294

Cheers,

Thijs

Signed up 😊 thanks for the heads-up

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded