Whitelisting an app to prevent notification storm

mhjor70
New Contributor

So we are just getting started with protect and have it in notify only mode. some of our devs create a cross platform toolchain which creates a disk image and mounts it to /Volumes/XXXX  when they run make from their script all hell breaks loose with alerts about 'hidden script running on external volume'  which is great but also a false positive. we want to keep the alert but white list the volume if its named something like TESTING..

 

Any suggestions ?

6 REPLIES 6

ThijsX
Valued Contributor
Valued Contributor

Hi @mhjor70 

You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.

Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3

Hopefully this helps a bit!
Thijs

mhjor70
New Contributor
Thanks I will try this and report back

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691

ThijsX
Valued Contributor
Valued Contributor

Hey @mhjor70 Just curious if you managed to create a custom Analytic to avoid false positives!

Cheers

Thijs

mhjor70
New Contributor

So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.

ThijsX
Valued Contributor
Valued Contributor

@mhjor70 

In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.

https://community.jamf.com/t5/jamf-protect/jamf-protect-beta/td-p/249294

Cheers,

Thijs

mhjor70
New Contributor
Signed up 😊 thanks for the heads-up

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691