I have configured automatic response for non-malware events in ePO.
I'm getting Exploit Prevention Event ID 18060 Would block report:
Event Category: 'Registry' class or access Event ID: 18060 Threat Severity: Critical Threat Name: New Startup Program Creation Threat Type: Exploit Prevention Action Taken: Would block Threat Handled: True Analyzer Detection Method: Exploit Prevention
Module Name: Threat Prevention Analyzer Content Version: 10.6.0.9626 Analyzer Rule ID: 344 Analyzer Rule Name: New Startup Program Creation
In our Exploit Prevention Policy 'New Startup Program Creation is disabled by default McAfee policy (ID 344)
My question is: why am I receiving this automatic response (violating the rule "New Startup Program Creation". Access was allowed because the rule wasn't configured to block.) if this rule is disabled not reported or blocked?