We use ESET in our org, and updates are being blocked by AMP, however it is not generating events in the Security Center nor is it showing as filtered content in the Network Wide Event Log. Disabling AMP temporarily allows ESET to update successfully. Is there a way to see exactly what AMP is blocking, so I can whitelist the false positives?
I saw one event in the Security Center where communication with one of the ESET subdomains had flagged the download as "User-Agent known malicious user-agent string - Win.Trojan.Batlopma". I've added "eset.com" to the whitelisted URLs under AMP in the Threat Protection window, but that didn't do anything. ESET uses a hundred or so subdomains to deliver updates ... do I need to add ALL of those subdomains to the whitelist?
I'm having the same issue with AMP blocking updates to Google services on wireless devices ... whitelisting "1e100.net" had no effect. Neither did "*.1e100.net"
How can I identify and allow false-positives without disabling AMP?
