does anyone have a list which Microsoft services like svchost.exe shouldn't be find in a rule set on the epo server?
a list of processes that are very insecure to allow e.g. as an updater? I think thats what McAfee calls "generic launcher processes" (see product guide for details). There is a pre-defined list in ePO > sonfiguration > server settings > solidcore > "generic launcher processes" - e.g. svhost.exe and explorer.exe ;-)