I am getting started on ENS migration. I have run into some issues with self protections and need to do an exclusion.
In VSE 8.8 self protection was part of Access Protection, but it seems to be split out of Access Protection in ENS and moved to its own configuration in the Endpoint Security Common "Options" policy.
There are several deficiencies as far as I can tell and I want to make sure these are true - and not just me not knowing how they work.
In VSE, I could specify a full path to the process I wanted to exclude. This offered some protection to the exclusion since I could exclude certain Microsoft processes based on locations in protected OS locations.
In ENS it appears that I can only specify a process name - and cannot limit to a process running from a certain path. True?
In ENS Self Protection events - the process MD5 Hash is listed along with the path and signer information, but there appears to be no way for me to leverage this information when wanting to un-block the process from self protection -- so the only option is to un-block a particular process name rather than the MD5 hash or even to include the path to the executable - as I could do in VSE. Is that correct?
Module Name: | Web Control |
---|
Analyzer Content Creation Date: | 7/1/15 5:01:00 AM CDT |
---|
Analyzer Content Version: | 10.1.0000 |
---|
Analyzer Rule Name: | Web Control - Protect plugin registry keys and values |
---|
Source Process Hash: | d3c986639542a28f32da84a5d2d20db8 |
---|
Source Process Signed: | Yes |
---|
Source Process Signer: | C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS |
---|
Source File Path: | C:\WINDOWS\SYSTEM32 |
---|
Source File Size (Bytes): | 228352 |
---|
Source Modify Time: | 9/29/17 3:41:16 AM CDT |
---|
Source Access Time: | 9/29/17 3:41:16 AM CDT |
---|
Source Create Time: | 9/29/17 3:41:16 AM CDT |
---|
Target Signed: | No |
---|
Target Path: | HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ENABLE BROWSER EXTENSIONS |
---|