Elements Endpoint Detection and Response (EDR) detects a safe application. How to whitelist the detection? - F-Secure Community
<main> <article class="userContent"> <h3 data-version="20" data-article="000008622" data-id="issue">Issue:</h3> <p>F-Secure Elements Endpoint Detection and Response (EDR) detects a safe application (e.g. an in-house application). How to whitelist the detection?</p> <h3 data-id="resolution">Resolution:</h3> <p>To whitelist a file directly, complete the following:<br></p><ol><li>Log in to the Elements Security Center at <a rel="nofollow" href="https://elements.f-secure.com/ ">here</a></li><li>Select the Endpoint Detection and Response section in the leftmost navigation bar in Elements Security Center.</li><li>Go to <b>Detections</b> tab, tick the Broad Context Detections check box.</li><li>Click <b>"Update status</b>" option at bottom page.</li><li>Select <b>"Closed"</b> from drop down menu, then select reason as <b>"False positive"</b></li><li>Click <b>"Update"</b> option.</li></ol><p><br>Once you have at least 1 incident that is identical to the incident, and there is no identical incident where status is closed as confirmed, the false positive handling in F-Secure Elements Endpoint Detection and Response (EDR) will close the false-positive automatically.</p> <p>Broad context detections can be closed as Auto false positive automatically when they are identical to previously closed false alarms. For F-Secure Elements Endpoint Detection and Response to close a broad context detection as Auto false positive, the following criteria must be met:</p> <ul><li>Incident has to be New / Unconfirmed,</li><li>you must have closed an identical incident in the same organization as False positive, and</li><li>no identical incidents in the same organization have been Confirmed.</li></ul> More information about automatic handling of incidents can be found <a rel="nofollow" href="https://help.f-secure.com/product.html?business/edr/latest/en/task_40F69D464B7A4DC3977944EA5868D366-latest-en">here</a>. <p>In the event that this has been completed multiple times and the file still gets detected, make a whitelist request for the False Positive event as follows:</p> <ol><li>From the left-hand menu in the F-Secure Elements Endpoint Detection and Response (EDR), click the three dots below Reports and choose <b>Support</b></li><li>Click the link <b>Request whitelisting</b>, this will bring up a support request form</li><li>Verify that the following fields are populated correctly: <ul><li><b>Problem Category</b> -> <b>Threat/Malware</b></li><li><b>Problem</b> <b>Subcategory</b> -> <b>False Positive</b></li><li><b>Product Group </b>-><b> For Business</b></li><li><b>Product Name </b>-><b> Rapid Detection & Response</b></li><li><b>Language </b>-> <b>English</b></li></ul></li><li>Under <b>Description</b>, provide the Broad Context Detection ID (BCD-ID), a reason for why this content should be whitelisted and the scope (Single host, company level, etc)</li><li>Fill in the rest of the required case information. Correct and complete information helps us to identify you and provide you with the proper service level</li><li>Click <b>Send </b>to open the support ticket</li></ol><p>Article no: 000008622</p> </article> </main>