Footprint Agent may at some point come into disagreement with Endpoint Detection and Protection Software. The Footprint Agent is running Powershell commands and this triggers some Behavioral Detections on certain Endpoint Protection agents.
How to whitelist the CODA Footprint Agent
CODA Intelligence Certificate Thumbprint: 4bedbceaf803a93939a1b7558641fa6771676137
Download the CODA Intelligence Public Code Signing Certificate here.
Special circumstances, or following Microsoft or Bitdefender recommendations. For an updated list of exclusions recommended by Microsoft, please refer to this article.
You can define Custom Exclusions for in-house developed applications or customized tools, according to your specific needs.
The antimalware module of Bitdefender Control Center provides real-time scanning of all the running processes and applications on the machine it protects. However, the real-time scanning might prevent certain applications from running correctly when they are scanned.
Custom antimalware exclusions apply to one or more of the following scanning methods:
Advanced Threat Control (ATC/IDS)
To exclude specific items from scanning, follow the steps below:
Log in to GravityZone Control Center.
Go to the Policies page.
Select or create a policy (except the Default policy).
Go to Antimalware and click Settings.
Select the Custom Exclusions check box.
Select the exclusion type from the menu:
File: only the specified file
Folder: only the specified folder, without any files and processes inside that folder or from all of its subfolders
Extension: all items having the specified extension
Process: any object accessed by the excluded process
File Hash: the file with the specified hash
Certificate Hash: all the applications under the specified certificate hash(thumbprint)
Threat Name: any item having the detection name
Command Line: the specified command line (available only for Windows operating systems)
File hash, Certificate hash, Threat name, or Command line
Enter the certificate thumbprint (hash). You can use one item per exclusion.
Select the scanning methods to which the rule applies.Some exclusions may be relevant for On-access scanning, On-demand scanning, ATC/IDS, while others may be recommended for two or all of the three modules.
Optionally, click the Show remarks button to add a note in the Remarks
Click the Add button. The new rule will be added to the list.
Click the Save button.
To remove a rule from the list, click the corresponding Delete button.
Log in to the Cylance Protect console. Alternatively - if using Cloud Management: https://protect.cylance.com/Threats
Select Settings > Certificates
Select + Add Certificate and import the Public Certificate File found here:
FortiEDR has multiple features that may interfere with Footprint Agent functionalities. If the policy is set to Prevent then you need to allow Footprint Agent explicitly in order to have full functionality.
According to the FortiEDR manual: “When this policy is set to Prevention mode the exfiltration attempt is blocked and a blocking event is generated. When this policy is set to Simulation mode, the outgoing connection attempt is NOT blocked and a simulated-blocking event is generated (this indicates that FortiEDR would have blocked the exfiltration if the policy had been set to Prevention mode).”
SECURITY POLICY EXCEPTION / PROCESS EXCEPTION
What we need is to create an Exception in order to enable you to limit the enforcement of a rule/policy for specific actions performed by the Footprint Agent. For FortiEDR exceptions are created in “exception pairs” meaning a tuple of Rule and Process. Adding the exception to an event may create more than one exception pair. But in all cases the process is linked to a process path.
SECURITY EVENT CLASSIFICATION
Let one agent run in the environment for some time. Either set policy to Simulation or Prevent but expect some data to be absent before the first time the Event Occurs and until after the Exception is added.
Navigate to the Event Viewer and select the events that are related to the Footprint Agent. Click on Handle Event and select Classification as “Safe”
Also select the same Event and click Create Exception.
Once the Exception Creation screen is opened proceed with clicking each Security Rule and check “When created by” Footprint Agent.exe and “Apply exception on” Footprint Agent.exe.
It is possible that there may be multiple events that need to be excepted as not all internal Footprint Scripts run at the same time.
An Exclusion enables you to define certain types of activity events to be excluded from being collected by Threat Hunting data. This helps reduce the overhead generated by the Footprint Agent during normal operation, but does not impact it’s functionality.
In order to perform an Exclusion follow the below steps:
Log in to the FortiEDR Central Management Console. Browse to Security Settings > Exclusion Manager and choose a list on the left hand side. If no list exists then you may create a new one.
Click Add Exclusion and select Event type “Any” by clicking the box to select all processes. Select Source attribute from the first drop-down menu and pick “is” Signer. You may then add either the Certificate file or Thumbprint of the Code Signing Certificate found at the start of this guide, this is the one used by CODA Intelligence to sign the agent and the connected scripts.
Add Commend and click Add. Make sure to Save the changes.
The Agent itself is not malicious and does not perform malware specific actions but the FortiEDR Threat Hunting rules take objection to programs running powershell.
In order to whitelist the Footprint Agent communication please see the following steps:
Navigate to Communication Control > Applications.
Navigate to the Application Footprint Agent with Vendor CODA. Check the box and click Modify Action and make sure to add the Allow action according to the used policy.
Remember to click Save.
You should now have all agent related functionalities allowed by FortiEDR. Remember that the action may still be detected but even if the policy is configured as Prevent the agent is not going to be impacted by the FortiEDR.