We are working to get our newly implemented environment optimized, and are looking through our Threat Event Log to see where we might be able to clean up a bit, as we are seeing many threat events daily. With some legitimate processes, we have tried to create some exclusions and have had some success with that, but one in particular is somewhat vexing. We use Microsoft SCCM in our environment, and have created exclusions for it in pertinent Access Protection policies, but it is still generating threat alerts. We initially had it added with the complete path (C:\Windows\CCM\CcmExec.exe), but when this did not work, we added just the executable name, (CcmExec.exe). Has anyone else had experience with this? Is there a best way to add an exclusion (path or just process)?
One thing I want to mention is that the process runs as NT AUTHORITY\SYSTEM. I recall someone mentioning to me that exclusions have issues when the process runs as System, but I couldn't find a reference to that again. Can anyone confirm if this is true? Any information would be greatly appreciated!