cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Exclusions for Exploit Prevention

We would like to use Exploit Prevention for Powershell attacks. Exploit Preventions offers multiple signatures which can be used to monitor or block the usage of powershell (e.g. 6070 - Hidden Powershell Detected or 6073 Execution Policy Bypass in PowerShell) We've enabled Exploit Prevention and put the signatures 6070 and 6073 in report mode. After a while we analyzed the events. Unfortunaltey there were many false alarms and now we would like to know if we can define exlusions for specific use cases: 1. Exploit Prevention must not block "start.ps1": C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy bypass -NonInteractive -File C:\scripts\windows\Start.ps1 2. Exploit Prevention must not block the following command for AppV: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer 1 -Glo
1 Reply
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Exclusions for Exploit Prevention

Currently you can't exclude based upon cmdline.  I've asked for this though. 🙂

I'd suggest you just create an Expert Rule for this, and then you can add all the exclusions you'd like.

Dave

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator