I tried looking through the "Best Practice" guide for some insight on how to handle things like MMC.exe, notepad++.exe, powershell_ISE.exe. In my environment, I see these pop up once in a while. In some cases, the user is actively trying to modify scripts or other files through the programming interface within notepade++.exe or powershell_ISE.exe. In other cases, it is the mmc.exe trying to load a plug-in of some sort and it is flagging in Policy Discovery as trying to modify a DLL, which I suppose it is trying to load some random plug-in that the endpoint user wants to use.
My question rests in what is the recommended action on such discoveries. I feel that making notepad++.exe and powershell_ISE.exe an updater to allow these types of file modifications might create an invulnerability if a malicious script or file were to run through those programs. Am I being "too cautious" in that sense? Is it considered "best practice" to allow such programs, like MMC and notepad++/powershell_ISE as updaters to avoid work interruption for the end-users?
Thanks for your time. I appreciate any feedback on this.