cancel
Showing results for 
Search instead for 
Did you mean: 

Exclusions for Exploit Prevention

Jump to solution
We would like to use Exploit Prevention for Powershell attacks. Exploit Preventions offers multiple signatures which can be used to monitor or block the usage of powershell (e.g. 6070 - Hidden Powershell Detected or 6073 Execution Policy Bypass in PowerShell) We've enabled Exploit Prevention and put the signatures 6070 and 6073 in report mode. After a while we analyzed the events. Unfortunaltey there were many false alarms and now we would like to know if we can define exlusions for specific use cases: 1. Exploit Prevention must not block "start.ps1": C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy bypass -NonInteractive -File C:\scripts\windows\Start.ps1 2. Exploit Prevention must not block the following command for AppV: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer 1 -Glo
1 Solution

Accepted Solutions
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Exclusions for Exploit Prevention

Jump to solution

Currently you can't exclude based upon cmdline.  I've asked for this though. 🙂

I'd suggest you just create an Expert Rule for this, and then you can add all the exclusions you'd like.

Dave

1 Reply
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Exclusions for Exploit Prevention

Jump to solution

Currently you can't exclude based upon cmdline.  I've asked for this though. 🙂

I'd suggest you just create an Expert Rule for this, and then you can add all the exclusions you'd like.

Dave

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community