Help

Whitelisting an app to prevent notification storm

mhjor70
New Contributor

Posted on ‎09-28-2021 11:06 AM

So we are just getting started with protect and have it in notify only mode. some of our devs create a cross platform toolchain which creates a disk image and mounts it to /Volumes/XXXX  when they run make from their script all hell breaks loose with alerts about 'hidden script running on external volume'  which is great but also a false positive. we want to keep the alert but white list the volume if its named something like TESTING..

 

Any suggestions ?

0 Kudos
Reply
6 REPLIES 6

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎10-19-2021 07:16 AM

Hi @mhjor70 

You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.

Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3

Hopefully this helps a bit!
Thijs

Reply

mhjor70
New Contributor
In response to ThijsX

Posted on ‎10-19-2021 07:19 AM

Thanks I will try this and report back

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691
0 Kudos
Reply

ThijsX
Valued Contributor
Valued Contributor
In response to mhjor70

Posted on ‎10-27-2021 05:19 AM

Hey @mhjor70 Just curious if you managed to create a custom Analytic to avoid false positives!

Cheers

Thijs

0 Kudos
Reply

mhjor70
New Contributor

Posted on ‎10-27-2021 06:42 AM

So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.

0 Kudos
Reply

ThijsX
Valued Contributor
Valued Contributor
In response to mhjor70

Posted on ‎11-11-2021 05:19 AM

@mhjor70 

In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.

https://community.jamf.com/t5/jamf-protect/jamf-protect-beta/td-p/249294

Cheers,

Thijs

0 Kudos
Reply

mhjor70
New Contributor
In response to ThijsX

Posted on ‎11-11-2021 06:24 AM

Signed up 😊 thanks for the heads-up

Mike Hjörleifsson | Senior Cybersecurity Manager
---------------------------------------------------------
Wind Talker Innovations, Inc. | +1-718-938-0691
0 Kudos
Reply