Footprint Agent may at some point come into disagreement with Endpoint Detection and Protection Software. The Footprint Agent is running Powershell commands and this triggers some Behavioral Detections on certain Endpoint Protection agents.
How to whitelist the CODA Footprint Agent
⚠️ The certificate with the thumbprint 2951d59a8aed11532b75e0969c588df71dea7a88 expires on 4th of March 2023.
If the application is whitelisted by the certificate thumbprint, please change it with the new one before 3rd of April 2023.
New CODA Intelligence Certificate Thumbprint: 8c822b99e6d4dfd22a81a6b8da317ca632b8877b
CODA Intelligence Certificate Thumbprint (Valid to 27th April 2026): 8c822b99e6d4dfd22a81a6b8da317ca632b8877b
Download the CODA Intelligence Public Code Signing Certificate here.
CODA Intelligence Certificate Thumbprint (Valid to 4th March 2023): 2951d59a8aed11532b75e0969c588df71dea7a88
Download the CODA Intelligence Public Code Signing Certificate here.
CODA Intelligence Certificate Thumbprint (Valid to 03rd April 2022): 4bedbceaf803a93939a1b7558641fa6771676137
Download the CODA Intelligence Public Code Signing Certificate here.
Microsoft 365 Defender
Microsoft Defender may detect several components of Coda Footprint agent as suspicious as they are listing different registry entries and user configured on machines. The AD integrated agent may also trigger certain alerts as it is listing AD users and computers. Though this is not malicious behavior it is flagged as most users would not perform such queries.
In order to whitelist the Coda Footprint agent there are two options:
Folder based whitelisting
Go to the Microsoft 365 Defender management console and select Settings > Endpoints > [Rules Section] Automation Folder Exclusions.
Press New Folder Exclusion.
Add the C:\ProgramData\Footprint\Agent folder and [Optionally] add ps1 and exe extensions.
Click Save.
Your exception is now ready
Certificate IOC definition
Note: It can take up to 3 hours to create and remove a certificate IoC
Go to the Microsoft 365 Defender management console and select Settings > Endpoints > [Rules Section] Indicators
Select Certificates and click Add item
Choose file and upload the Coda Code-signing certificate on the top of this article.
Click Next and select Action Allow. Assign a Name and Description
Select a scope group or leave the entire organization.
Press Save
Your certificate based whitelist is now ready
Bitdefender GravityZone
Reference: https://www.bitdefender.com/support/antimalware-exclusions-in-bitdefender-gravityzone-1232.html
Special circumstances, or following Microsoft or Bitdefender recommendations. For an updated list of exclusions recommended by Microsoft, please refer to this article.
You can define Custom Exclusions for in-house developed applications or customized tools, according to your specific needs.
The antimalware module of Bitdefender Control Center provides real-time scanning of all the running processes and applications on the machine it protects. However, the real-time scanning might prevent certain applications from running correctly when they are scanned.
Custom antimalware exclusions apply to one or more of the following scanning methods:
On-access scanning
On-demand scanning
Advanced Threat Control (ATC/IDS)
Important:
|
To exclude specific items from scanning, follow the steps below:
Log in to GravityZone Control Center.
Go to the Policies page.
Select or create a policy (except the Default policy).
Go to Antimalware and click Settings.
Select the Custom Exclusions check box.
-
Select the exclusion type from the menu:
File: only the specified file
Folder: only the specified folder, without any files and processes inside that folder or from all of its subfolders
Extension: all items having the specified extension
Process: any object accessed by the excluded process
File Hash: the file with the specified hash
Certificate Hash: all the applications under the specified certificate hash(thumbprint)
Threat Name: any item having the detection name
Command Line: the specified command line (available only for Windows operating systems)
-
.
File hash, Certificate hash, Threat name, or Command line
Enter the certificate thumbprint (hash). You can use one item per exclusion. Select the scanning methods to which the rule applies.Some exclusions may be relevant for On-access scanning, On-demand scanning, ATC/IDS, while others may be recommended for two or all of the three modules.
Optionally, click the Show remarks button to add a note in the Remarks
Click the Add button. The new rule will be added to the list.
Click the Save button.
Important:
|
To remove a rule from the list, click the corresponding Delete button.
Cylance PROTECT
Log in to the Cylance Protect console. Alternatively - if using Cloud Management: https://protect.cylance.com/Threats
Select Settings > Certificates
Select + Add Certificate and import the Public Certificate File found here:
Click Submit
FortiEDR
FortiEDR has multiple features that may interfere with Footprint Agent functionalities. If the policy is set to Prevent then you need to allow Footprint Agent explicitly in order to have full functionality.
According to the FortiEDR manual: “When this policy is set to Prevention mode the exfiltration attempt is blocked and a blocking event is generated. When this policy is set to Simulation mode, the outgoing connection attempt is NOT blocked and a simulated-blocking event is generated (this indicates that FortiEDR would have blocked the exfiltration if the policy had been set to Prevention mode).”
SECURITY POLICY EXCEPTION / PROCESS EXCEPTION
What we need is to create an Exception in order to enable you to limit the enforcement of a rule/policy for specific actions performed by the Footprint Agent. For FortiEDR exceptions are created in “exception pairs” meaning a tuple of Rule and Process. Adding the exception to an event may create more than one exception pair. But in all cases the process is linked to a process path.
SECURITY EVENT CLASSIFICATION
Let one agent run in the environment for some time. Either set policy to Simulation or Prevent but expect some data to be absent before the first time the Event Occurs and until after the Exception is added.
Navigate to the Event Viewer and select the events that are related to the Footprint Agent. Click on Handle Event and select Classification as “Safe”
.
Also select the same Event and click Create Exception.
Once the Exception Creation screen is opened proceed with clicking each Security Rule and check “When created by” Footprint Agent.exe and “Apply exception on” Footprint Agent.exe.
It is possible that there may be multiple events that need to be excepted as not all internal Footprint Scripts run at the same time.
THREAT HUNTING
An Exclusion enables you to define certain types of activity events to be excluded from being collected by Threat Hunting data. This helps reduce the overhead generated by the Footprint Agent during normal operation, but does not impact it’s functionality.
In order to perform an Exclusion follow the below steps:
Log in to the FortiEDR Central Management Console. Browse to Security Settings > Exclusion Manager and choose a list on the left hand side. If no list exists then you may create a new one.
Click Add Exclusion and select Event type “Any” by clicking the box to select all processes. Select Source attribute from the first drop-down menu and pick “is” Signer. You may then add either the Certificate file or Thumbprint of the Code Signing Certificate found at the start of this guide, this is the one used by CODA Intelligence to sign the agent and the connected scripts.
Add Commend and click Add. Make sure to Save the changes.
The Agent itself is not malicious and does not perform malware specific actions but the FortiEDR Threat Hunting rules take objection to programs running powershell.
COMMUNICATION CONTROL
In order to whitelist the Footprint Agent communication please see the following steps:
Navigate to Communication Control > Applications.
Navigate to the Application Footprint Agent with Vendor CODA. Check the box and click Modify Action and make sure to add the Allow action according to the used policy.
Remember to click Save.
You should now have all agent related functionalities allowed by FortiEDR. Remember that the action may still be detected but even if the policy is configured as Prevent the agent is not going to be impacted by the FortiEDR.
ESET Antivirus
Reference: https://help.eset.com/eis/15/en-US/idh_detection_exclusion.html?idh_detection_exclusion.html
Exclude detection
A valid ESET detection name should be provided. For a valid detection name, see Log files and then select Detections from the Log files drop-down menu. This is useful when a false positive sample is being detected in ESET Internet Security. Exclusions for real infiltrations are very dangerous, consider excluding only affected files / directories by clicking ... in the Path field and/or only for a temporary period of time. Exclusions apply also to Potentially unwanted applications, potentially unsafe applications and suspicious applications.
See also Path exclusion format.
Go to Setup > Computer Protection > Configure > Process Exclusion > Add Path [C:\Program Files (x86)\Footprint\Footprint Agent\Footprint Agent.exe]
Go to Setup > Computer Protection > Real Time file system protection > Click Edit Exclusion
Click on Path and set it to C:\Program Files (x86)\Footprint\
VMware Carbon Black Cloud
VMware Carbon Black Cloud may detect several components of Coda Footprint agent as suspicious as they are listing different registry entries and use PowerShell in order to work properly. Though this is not malicious behavior it is flagged as most applications would not use PowerShell in this manner.
In order to whitelist the Coda Footprint agent, please follow the next steps:
Click Enforce > Reputation.
Click Add and select IT Tools as the type.
-
Add the path of the IT tool that drops code, receives initial trust, and is allowed.
Path\to\Footprint Agent.exe
Optional: Select Include all child processes.
Enter Comments and click Add.
Your exception is now ready and VMware Carbon Black Cloud should not alert on the Footprint Agent.
Carbon Black Cloud Endpoint Standard
Reference: Endpoint Standard: How to add a Certificate to the Approved List (broadcom.com)
From the Investigate Page
Search for Events tied to desired application or hash
Select the desired Event to expand Event details
Click desired App tab (Parent App, Selected App, Target App)
Signed By field reflects Signer of file, CA reflects Certificate Authority
Click on Add button to right of Signed By to add the Cert (Signer+CA) to Approved List
From the Reputation Page
Locate Signer and Certificate Authority (CA) for desired file (can be done via Enriched Event data or directly on endpoint)
Log into Carbon Black Cloud Console
Go to Enforce > Reputation
Click on the +Add button
In the modal/pop-up, select Type: Certs
Enter Signer in "Signed By" field (required)
Enter CA in Certificate Authority field (not currently required)
Add details to Comment field as desired
Click Save to finish adding Cert to Approved List
Comments
0 comments
Please sign in to leave a comment.