We get a ton of false positives from ENS due to the unmanaged powershell and unmanaged powershell II rule. We don't really want to disable these rules because powershell is probably the #1 most exploited vector attackers use to attack windows hosts but we are now seeing false positives from native windows processes like COMPATTELRUNNER.EXE and RemoteFXvGPUDisablement.exe
Each PC is running the RemoteFXvGPUDisablement.exe process every day so it's a ton of alerts and its creating chase burnout and making people non-vigilant.
Thank you posting your question to our community, @enxl !
Are you seeing a ton of detection events by exploit prevention feature with signature ID 608x ?
Is there any trends?
You can exclude individual process from each sigunature ID.
This will reduce security risk comparing disabling the signature ID completely.
If it is difficult to determine, please raise a support ticket and contact us.
We will provide possible advice for this.
Hi @enxl ,
You can have them excluded for the rules, I have also attached a link below for your reference.
Please do let me know if you have any questions.
It is the job of the security software to know whether something is actually malicious or not. So yes, you can create exclusions but that just makes your enterprise less safe. Also why can't you create an exclusion directly from the event notice? Why do you have to manually create exclusions? Ive been trying to create an exclusion that works for COMPATTELRUNNER.EXE and it just keeps notifying us about normal windows operations.
Why can't mcafee just do their job and update their rules themselves, since that is what we all are paying them to do?