We are still struggling and LABS is working on our case because these rules are not visible in ePO dispite of we have already updated the content version.
You'll need to make sure you set the "Filter" to display "Severity: Others" in order to see the Signature now and be able to switch it off if that is what you want/need to do.
Apologies for not looping you in my previous reply. may i know what update you seek on this issue? Are you facing a False positive for this rule? May I know if my previous response can help or clarify this for you in any way?
The actual fix vs whitelisting/disable work arounds. This did not seem to be a problem a few weeks back and I thought I saw that a true fix was on the way, perhaps in an updated DAT file or something.
Yes it is already taken care by the updated Exploit Prevention content. You can install 9863 (released on 28th Jan) that has the false positive resolved.
We are suffering since a few days of this issue but in our case the rule is no more present in the Policy (all options activated the rule is NOT shown) and we have some servers that are uploading block events to the ePO.
To be more precise, thousands of false positive block events on that rule since +- 16/02 so yesterday
Thank you for reporting this. I would like to assist you via a Service Request if you have one in place already! The rule must be present, however, the Filter options may hide it since this rule has a priority that falls under "Disabled"!
It is worth having a check locally as well and I can assure the sig is still present in the content and has not been removed! I have attached a screengrab of what I am referring to for your kind reference!
the case was opened in the same time i Added this comment into the forum. A remote session yesterday confirmed that
locally the rule is present
the rule is no more present in any of the TP EXP Policies.
if exported all policies showed no trace for this rule into XLM file
the investigation will continue on wednesday with both ePO and ENS support team
Wait until you see WHEN it blocks and Exchange Migration (RUUPDATE) with those customers who have ENS on Servers running. For all who don't handle those in details. Such a servcie Pack (roll up) often exports the whole Exchange config into some XML files. THEN Deinstalls all Exchange Files, Binary and even services and then reinstall all and config as defined in the XML.
You can imagine what happesn there of such an EFS effect is happening...