NOTICE - On October 18, 2022, this product was renamed to Remediation Connector Solution.
TIP - This is an example of the Remediation Connector Solution configured with CrowdStrike Falcon®.
CrowdStrike and CrowdStrike Falcon are registered trademarks of CrowdStrike, Inc.
Remediation Connector Solution is not associated with, or endorsed by, CrowdStrike Holdings, Inc. or its affiliates.
Remediation Connector Solution allows you to exclude legitimate files, services, and known false positives. The fastest method to identify false positives is to run a diagnostic scan on a secure endpoint without removing any detections. Optionally, export your exclusions from CrowdStrike Falcon, and then convert them to JSON format usable by Remediation Connector Solution.
Exclude List
Remediation Connector Solution offers the following methods to exclude items from being scanned:
-
Exclude List: This method allows you to exclude by File Extensions, File Names, Folder Paths, Registry Keys, Registry Values, and Vendor Names used to identify threats.
- Items requiring exclusion may be enclosed in one or more JSON files.
- The JSON files can be specified as either local file paths or web URLs.
- For wildcards, use current Windows operating system standards:
- Wildcards can be used for file and folder paths.
- Wildcards can be used within registry keys for additional flexibility.
- We recommend verifying your JSON exclusion file(s) format. To verify, see JSON Formatter & Validator.
Exclusion example:
{
"exclusions" : [
{ "type" : "extension","path" : "dll" },
{ "type" : "file" ,"path" : "c:\\myprog\\test.exe"},
{ "type" : "folder" ,"path" : "c:\\myprog\\abc" },
{ "type" : "regkey","path" : "HKLM\\SYSTEM\\CURRENTCONTROLSET\\SERVICES\\1394843d" },
{ "type" : "regval","path" : "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN|DESKBAR" },
{ "type" : "wildcard","path" : "**myprog*" },
{ "type" : "vendor","path" : "Trojan.MBAMTest" }
{ "type" : "hash","path" : "3BAA69B0C31CA2CCFB30D75A83B060AA"
],
"schemaVersion" : 1
}
Create Custom rules
Remediation Connector Solution can be configured to target threats that may otherwise be undetected. Using custom rules formatted in JSON you can instruct Remediation Connector Solution to search for Indicators of Compromise (IOC).
For information on Indicators of Compromise, see:
While IOC Editor allows you to create a range of rules for identifying malware, there are five (5) specific rules that apply to the Remediation Connector Solution. Provided below are examples for each rule type that shows the format and where to apply them.
Custom Hash rule
The Custom Hash rule is identified using a files MD5 hash value.
Exclusion example:
{
"condition" : "is",
"md5" : "3BAA69B0C31CA2CCFB30D75A83B060AA",
"name" : "TestThreat.CustomHashRule",
"type" : "hash"
}
- Criteria: Condition value = “is”
- When Used: Full scan, Hyper scan, Threat scan, Path scan
Custom File rule
The Custom File rule is identified using its file name.
Exclusion example:
{
"condition" : "is",
"fileName" : "ThreatFile.exe",
"name" : "TestThreat.CustomFileRule.Is",
"type" : "file"
}
{
"condition" : "contains",
"fileName" : "ThreatFile",
"name" : "TestThreat.CustomFileRule.Contains",
"type" : "file"
}
- Criteria: Condition value = “is” or “contains”. When the “is” condition is used, the filename does not include the directory path. The filename is case-insensitive.
- When Used: Full scan, Hyper scan, Threat scan, Path scan
Custom Folder rule
The Custom Folder rule is identified using the folder path.
Exclusion example:
{
"condition" : "is",
"folderPath" : "C:\\abc\\ThreatFolder",
"name" : "TestThreat.CustomFolderRule.Is",
"type" : "folder"
}
{
"condition" : "contains",
"folderPath" : "ThreatFolder",
"name" : "TestThreat.CustomFolderRule.Contains",
"type" : "folder"
}
-
Criteria: Condition value = “is” or “contains”. When the “is” condition is used, the folder path is the absolute path of the folder. The folder path is case-insensitive.
-
When Used: Full scan, Hyper scan, Threat scan, Path scan
Custom Registry Key rule
The Custom Registry Key rule is identified using a specific registry key.
Exclusion example:
{
"condition" : "is",
"keyPath" : "HKLM\\abc\\ThreatRegKey",
"name" : "TestThreat.CustomRegKeyRule",
"type" : "regkey"
}
-
Criteria: Condition value = “is”. The registry key is case-insensitive.
-
When Used: Full scan, Threat scan
Custom Registry Value rule
The Custom Registry Value rule is identified using a specific registry value. It requires three indicator items to exclude.
Exclusion example:
{
"condition" : "is",
"keyPath" : "HKLM\\abc\\ThreatRegKey",
"name" : "TestThreat.CustomRegValueRule",
"type" : "regvalue",
"valueData" : "sampledata",
"valueName" : "name1"
}
- Criteria: Condition value = “is”. All indicator values are case-insensitive.
- When Used: Full scan, Threat scan
GPO and Trend Micro custom exclusions
Remediation Connector Solution can exclude GPO and anti-virus solutions from being scanned. See the attachments at the bottom of the article for the most common exclusions for GPO and Trend Micro.