I'm running into the same issue with the Suspicious Double File Extension Execution event (ID 413). I have several programs that run from a network share (ie. SCCM advertisements, login scripts), and I can't seem to create an override that will allow them to run without being flagged. Has anyone had any luck with exceptions for this event?
Look at the event itself in the ePO console. Is the executable listed as EXECUTABLE or TARGET EXECUTABLE? Create an IPS exception using the info from the ePO event and see if it matches your IPS exception.
edit: You'll notice that the Threat Source Process Name is probably not WZZIP.EXE, but something else, like EXPLORER.EXE. Review your event and the Advanced Details at the bottom of the event itself, and review the TARGET PATH for the full path of the WZZIP.EXE. Modify your IPS Exception to match that of the event itself.
I use HIP 8 and found a fault detection for Suspicious Double File Extension Execution (even the .exe file is not double file extension) - this is due to the path contains a FQDN e.g.
The entire file path contains a .com and a .exe, which is why this signature triggers.
Absolutely YES, however, why HIPs detects the path as the executable file ?