Hello,
I recently a received an alert for a system in my network, threat name, ExP:Illegal API Use. The file it triggered for was Powershell.exe and it was reported as a IDS_ACTION_WOULD_BLOCK. I understand the blocking has to do with my current policy but there was no event ID to tie this to.
The system has been offline since then and has not been started. Could you please provide some more insights on this?
Thanks.
Solved! Go to Solution.
Hello @ronton90
Can you give us some more info about the event itself?
There is high probability you have something similar to:
Usually for IPS events, event ID is the same, but "Analyzer Rule ID" should tell you which signature is violated. In mentioned example violation of 6082 signature is detected because Powershell has been called to execute "-ExecutionPolicy Unrestricted" command.
IDS_ACTION_WOULD_BLOCK means that probably you have signature enabled to report only, not to block, but like I said, we will need more info.
I hope this helps.
Hello @ronton90
Can you give us some more info about the event itself?
There is high probability you have something similar to:
Usually for IPS events, event ID is the same, but "Analyzer Rule ID" should tell you which signature is violated. In mentioned example violation of 6082 signature is detected because Powershell has been called to execute "-ExecutionPolicy Unrestricted" command.
IDS_ACTION_WOULD_BLOCK means that probably you have signature enabled to report only, not to block, but like I said, we will need more info.
I hope this helps.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA