Thank you for the answer.
Can You upload the files once again because i get 404 error while trying to download them
Also in the mean time i tried to change the exclusion in my user user defined rule
to be certain the original rule targeted this file "C:\USERS\Isomeuser\APPDATA\LOCAL\TEMP\$LDTMP$\CLIENTSIDEENABLEWOL.VBS"
so in the Subrules exclusion i tried couple of variations
**\TEMP\$LDTMP$\CLIENTSIDEENABLEWOL.VBS
**\$LDTMP$\CLIENTSIDEENABLEWOL.VBS
**\TEMP\$LDTMP$\*.VBS
**\$LDTMP$\*.VBS
Unfortunetly it triggerd every time
@PawelEm Try this; I put them in a .zip
It is possible that you're not putting the exclusion in the proper subrule section (can't be sure since I can't see your whole policy) or that the $ is tripping things up. I would recommend trying the \*LDTMP*\ or \?LDTMP?\ to see if it helps?
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
My rule looks almost the same as Yours (screenshots of the rule below)
tried to replace $ witch * or ? but it didnt help
$ in the folder name isn't the problem (copied the vbs file to a folder named APPDATA\LOCAL\TEMP\0LDTMP0\ and lanching the file manualy also triggered the rule)
tried to import policy providec by You "Contains both 2.0 and PawelEm's custom 2.0"
and the same thing happened (Threat Name: 2.0: PawelEm's Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement)
and the event
Threat Event Log Details
Previous Next
Threat Event Log Information
Server ID: MCAFEE-AH
Event Received Time: 4/18/19 10:16:21 AM
Event Generated Time: 4/18/19 10:14:56 AM
Agent GUID: 504EE76C-4672-11E9-1F93-509A4CC3212D
Detecting Prod ID (deprecated): ENDP_AM_1060
Detecting Product Name: McAfee Endpoint Security
Detecting Product Version: 10.6.1.1128
Detecting Product Host Name: testhost
Detecting Product IPv4 Address: 10.200.38.48
Detecting Product IP Address: 10.200.38.48
Detecting Product MAC Address: f83441bd78a6
DAT Version:
Engine Version:
Threat Source Host Name:
Threat Source IPv4 Address: 10.200.38.48
Threat Source IP Address: 10.200.38.48
Threat Source MAC Address:
Threat Source User Name: HEADQUARTER\someuser
Threat Source Process Name: WSCRIPT.EXE
Threat Source URL:
Threat Target Host Name: testhost
Threat Target IPv4 Address: 10.200.38.48
Threat Target IP Address: 10.200.38.48
Threat Target MAC Address:
Threat Target User Name: SYSTEM
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path: C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\
Event Category: 'File' class or access
Event ID: 1092
Threat Severity: Critical
Threat Name: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement
Threat Type: Access Protection
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Access Protection
Events received from managed systems
Event Description: Access Protection rule violation detected and blocked
Endpoint Security
Module Name: Threat Prevention
Analyzer Content Creation Date: 9/22/15 1:11:11 PM
Analyzer Content Version: 10.6.0
Analyzer Rule Name: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement
Source Process Hash: 7075dd7b9be8807fca93acd86f724884
Source Process Signed: Yes
Source Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS
Source File Path: C:\WINDOWS\SYSWOW64
Source File Size (Bytes): 147456
Source Modify Time: 4/12/18 3:34:59 AM
Source Access Time: 4/12/18 3:34:59 AM
Source Create Time: 4/12/18 3:34:59 AM
Target Signed: No
Target Path: C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\
Target Modify Time: 4/18/19 12:10:27 PM
Target Access Time: 4/18/19 12:10:27 PM
Target Create Time: 4/18/19 12:10:12 PM
First Action Status: Not available
Second Action Status: Not available
Description: HEADQUARTER\someuser ran WSCRIPT.EXE, which tried to access C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\, violating the rule "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement", and was blocked. For information on how to respond to this event, see KB85494.
Duration Before Detection (Days): >7 days
Attack Vector Type: Local System
Access Requested: Execute
Maybe someone has some other suggestions?
or just open a service request
Thank you very much, I set up my own on the example of your rules, I confirm the successful operation of this method.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA