cancel
Showing results for 
Search instead for 
Did you mean: 

Exclusions for Exploit Prevention

Jump to solution
We would like to use Exploit Prevention for Powershell attacks. Exploit Preventions offers multiple signatures which can be used to monitor or block the usage of powershell (e.g. 6070 - Hidden Powershell Detected or 6073 Execution Policy Bypass in PowerShell) We've enabled Exploit Prevention and put the signatures 6070 and 6073 in report mode. After a while we analyzed the events. Unfortunaltey there were many false alarms and now we would like to know if we can define exlusions for specific use cases: 1. Exploit Prevention must not block "start.ps1": C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy bypass -NonInteractive -File C:\scripts\windows\Start.ps1 2. Exploit Prevention must not block the following command for AppV: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer 1 -Glo
1 Solution

Accepted Solutions
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Exclusions for Exploit Prevention

Jump to solution

Currently you can't exclude based upon cmdline.  I've asked for this though. 🙂

I'd suggest you just create an Expert Rule for this, and then you can add all the exclusions you'd like.

Dave

1 Reply
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Exclusions for Exploit Prevention

Jump to solution

Currently you can't exclude based upon cmdline.  I've asked for this though. 🙂

I'd suggest you just create an Expert Rule for this, and then you can add all the exclusions you'd like.

Dave

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator