Steps to Whitelist Ultraviewer in CrowdStrike

From Notes_Wiki

Home > CrowdStrike > Steps to Whitelist Ultraviewer in CrowdStrike


Identify the UltraViewer Detection

  1. Go to Endpoint SecurityEndpoint detections.
  2. Select the alert generated for UltraViewer and open the details view.
  3. Note the file path shown in the alert:
 \Device\HarddiskVolume3\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
  1. Copy the hash value shown on the same page:
 ****e3c02f083b**********************245033105******


Create File Path Exclusion

  1. Go to Endpoint SecurityConfigureExclusions.
  2. Under Machine learning (file path) exclusions, click Create exclusion.
  3. Select the Host Group where the affected system is added and click Next.
  4. Enable the following options:
    • Detections and Prevents
    • Uploads to CrowdStrike
  5. Under Exclusion pattern, paste the copied file path:
 \Device\HarddiskVolume3\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
  1. Click Create Exclusion.
  3. Note:
    • If All hosts is selected, the exclusion may not be applied for unknown reasons.
    • Always select the specific Host Group to ensure the exclusion is successfully created.


Create Hash Allow Rule (IOC Management)

  1. Go to Endpoint SecurityConfigureIOC Management.
  2. Click Add hash.
  3. If the option is not visible:
    • Click the three vertical dots (⋮) on the top-right corner.
    • Select Add hashes.
  4. A new pop-up window will open.
  5. Click + Manually add hashes.
  6. Paste the copied hash value:
 ****e3c02f083b**********************245033105******
  1. Provide a description.
  2. Select the appropriate Host Group.
  3. Select Platform: Windows.
  4. Select Action: Allow, do not detect.
  5. Click Add hashes.


Steps to Create IOA Exclusion

  1. Go to Endpoint SecurityEndpoint detections.
  2. Select the alert generated for UltraViewer and open the details view.
  3. In the detection details, verify the following:

Command Line

 "C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"

File Path

 \Device\HarddiskVolume3\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
  1. On the top-right corner of the detection page, click Action.
  2. Click on Create IOA exclusion.
  3. Select the appropriate Host Group where the host is present.
  4. Provide a Name for the exclusion.
  5. Complete the creation process.

Handling Repeated Detections (Command Line Variations)

  • Some detections may still be triggered even after adding all exclusions.
  • This usually happens when the Command line path or PID differs.
  1. While creating the IOA exclusion, edit the Command line field as shown below to cover all variations:
 .*\\Program\s+Files\s+\(x86\)\\UltraViewer\\UltraViewer_Desktop.*
  1. This regex ensures all detections related to the UltraViewer executable are excluded.

Example of PID variations observed: 

 C:\Windows\system32\application.exe -u -p 13176 -s 268
 C:\Windows\system32\application.exe -u -p 3936 -s 260
 C:\Windows\system32\application.exe -u -p 17040 -s 268
  • In the above examples, the -p value (Process ID) changes dynamically.
  • Because PID changes for every execution, detections may reappear.

Verification

  • Ensure the ML file path exclusion, IOC hash rule, and IOA exclusion are applied to the correct Host Group.
  • Re-launch UltraViewer and confirm that no new detections are generated.
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Steps_to_Whitelist_Ultraviewer_in_CrowdStrike&oldid=9985"