2 Solutions
Hi,
Thank you for your response and for this info - cool, I didn't know there was an on-line doc. 
It is what I was looking for and gives me partial answer, however, it seems incomplete and I have a bad feeling. The page gives info on how to
- "Exclude items from all rules.", which is bad as it goes too far...
- or I can only "Specify processes for inclusion or exclusion in a user-defined Application Protection rule. (Buffer overflow and illegal API violations only) ", which doesn't help as the rule I'm looking at is "McAfee-defined" rule 413 on double extension on files.
So, I have a feeling that what I need is not possible...
My present workaround has been to set this rule to log/report only and not block. It is not what I would prefer, but I feel it is the lesser eveil.
Again thanks for your help.
Serge
Hi, I had a look and to me it apears you would have to use the "Files - Proceses - Registry" exclusion type. The reason is based on the events we have in our enviroment its showing that as event description.
You could try creating a new exclusion and put "File Name or Full Path, MD5 Hash and Signer". I think this would be the safest way to limit the false positive you are haivng one file. Keep in mind though it would exclude it from all "File/Process/Registry violation".
Scott
