Footprint Agent may at some point come into disagreement with Endpoint Detection and Protection Software. The Footprint Agent is running Powershell commands and this triggers some Behavioral Detections on certain Endpoint Protection agents.
How to whitelist the CODA Footprint Agent
⚠️ The certificate with the thumbprint 4bedbceaf803a93939a1b7558641fa6771676137 expires on 3rd of April 2022.
If the application is whitelisted by the certificate thumbprint, please change it with the new one before 1st of April 2022.
New CODA Intelligence Certificate Thumbprint: 2951d59a8aed11532b75e0969c588df71dea7a88
CODA Intelligence Certificate Thumbprint (Valid to 4th March 2023): 2951d59a8aed11532b75e0969c588df71dea7a88
Download the CODA Intelligence Public Code Signing Certificate here.
CODA Intelligence Certificate Thumbprint (Valid to 03rd April 2022): 4bedbceaf803a93939a1b7558641fa6771676137
Download the CODA Intelligence Public Code Signing Certificate here.
Special circumstances, or following Microsoft or Bitdefender recommendations. For an updated list of exclusions recommended by Microsoft, please refer to this article.
You can define Custom Exclusions for in-house developed applications or customized tools, according to your specific needs.
The antimalware module of Bitdefender Control Center provides real-time scanning of all the running processes and applications on the machine it protects. However, the real-time scanning might prevent certain applications from running correctly when they are scanned.
Custom antimalware exclusions apply to one or more of the following scanning methods:
Advanced Threat Control (ATC/IDS)
To exclude specific items from scanning, follow the steps below:
Log in to GravityZone Control Center.
Go to the Policies page.
Select or create a policy (except the Default policy).
Go to Antimalware and click Settings.
Select the Custom Exclusions check box.
Select the exclusion type from the menu:
File: only the specified file
Folder: only the specified folder, without any files and processes inside that folder or from all of its subfolders
Extension: all items having the specified extension
Process: any object accessed by the excluded process
File Hash: the file with the specified hash
Certificate Hash: all the applications under the specified certificate hash(thumbprint)
Threat Name: any item having the detection name
Command Line: the specified command line (available only for Windows operating systems)
File hash, Certificate hash, Threat name, or Command line
Enter the certificate thumbprint (hash). You can use one item per exclusion.
Select the scanning methods to which the rule applies.Some exclusions may be relevant for On-access scanning, On-demand scanning, ATC/IDS, while others may be recommended for two or all of the three modules.
Optionally, click the Show remarks button to add a note in the Remarks
Click the Add button. The new rule will be added to the list.
Click the Save button.
To remove a rule from the list, click the corresponding Delete button.
Log in to the Cylance Protect console. Alternatively - if using Cloud Management: https://protect.cylance.com/Threats
Select Settings > Certificates
Select + Add Certificate and import the Public Certificate File found here:
FortiEDR has multiple features that may interfere with Footprint Agent functionalities. If the policy is set to Prevent then you need to allow Footprint Agent explicitly in order to have full functionality.
SECURITY POLICY EXCEPTION / PROCESS EXCEPTION
What we need is to create an Exception in order to enable you to limit the enforcement of a rule/policy for specific actions performed by the Footprint Agent. For FortiEDR exceptions are created in “exception pairs” meaning a tuple of Rule and Process. Adding the exception to an event may create more than one exception pair. But in all cases the process is linked to a process path.
SECURITY EVENT CLASSIFICATION
Let one agent run in the environment for some time. Either set policy to Simulation or Prevent but expect some data to be absent before the first time the Event Occurs and until after the Exception is added.
Navigate to the Event Viewer and select the events that are related to the Footprint Agent. Click on Handle Event and select Classification as “Safe”
Also select the same Event and click Create Exception.
Once the Exception Creation screen is opened proceed with clicking each Security Rule and check “When created by” Footprint Agent.exe and “Apply exception on” Footprint Agent.exe.
It is possible that there may be multiple events that need to be excepted as not all internal Footprint Scripts run at the same time.
An Exclusion enables you to define certain types of activity events to be excluded from being collected by Threat Hunting data. This helps reduce the overhead generated by the Footprint Agent during normal operation, but does not impact it’s functionality.
In order to perform an Exclusion follow the below steps:
Log in to the FortiEDR Central Management Console. Browse to Security Settings > Exclusion Manager and choose a list on the left hand side. If no list exists then you may create a new one.
Click Add Exclusion and select Event type “Any” by clicking the box to select all processes. Select Source attribute from the first drop-down menu and pick “is” Signer. You may then add either the Certificate file or Thumbprint of the Code Signing Certificate found at the start of this guide, this is the one used by CODA Intelligence to sign the agent and the connected scripts.
Add Commend and click Add. Make sure to Save the changes.
The Agent itself is not malicious and does not perform malware specific actions but the FortiEDR Threat Hunting rules take objection to programs running powershell.
In order to whitelist the Footprint Agent communication please see the following steps:
Navigate to Communication Control > Applications.
Navigate to the Application Footprint Agent with Vendor CODA. Check the box and click Modify Action and make sure to add the Allow action according to the used policy.
Remember to click Save.
You should now have all agent related functionalities allowed by FortiEDR. Remember that the action may still be detected but even if the policy is configured as Prevent the agent is not going to be impacted by the FortiEDR.
A valid ESET detection name should be provided. For a valid detection name, see Log files and then select Detections from the Log files drop-down menu. This is useful when a false positive sample is being detected in ESET Internet Security. Exclusions for real infiltrations are very dangerous, consider excluding only affected files / directories by clicking ... in the Path field and/or only for a temporary period of time. Exclusions apply also to Potentially unwanted applications, potentially unsafe applications and suspicious applications.
See also Path exclusion format.
Go to Setup > Computer Protection > Configure > Process Exclusion > Add Path [C:\Program Files (x86)\Footprint\Footprint Agent\Footprint Agent.exe]
Go to Setup > Computer Protection > Real Time file system protection > Click Edit Exclusion
Click on Path and set it to C:\Program Files (x86)\Footprint\