Can you supply a screen shot of your rule?
ccreate a standard query with base filters:
Threat name=name of rule
Threat target file path does not contain= yada-yada.exe
just remember exclusions are based off of executing process (threat source process name)
Select the Block EXE rule and open the details, add a screen shot of that.
Next step would be to see what processes are actually triggering the rule.
Create a single group summary table query.
Threat Name= User-Defined Rules:Block EXE from AppData
Group by threat source process name. This will show you which programs are creating the most events. Also add that screen shot.
The attachment for the block *.EXE
And a screenshot of the filter...
And some copy&paste of the Threat Target Path File:
The way the rule read is: Prevent all exe files from being created\executed in AppData directory except if the process attempting the action is program x (x being the threat source process).
It does NOT read: Prevent all exe files from being created\executed in AppData directory except if the file being created is file x (x being the target file).
I think you're getting a lot of hits for a few reasons.
- You're using a variable to cover all subfolders. Typically it's only recommended to prevent creation of executables in the root of appdata, or the root of a subgroup of appdata (ex roaming, local, locallow). The rule looks like: **\AppData\*.exe and **\AppData\*\*.exe
- You can try unchecking read\write (if not you may want to add mcafee processes mcshield.exe, scan32.exe, scan64.exe as exclusions.
- Lastly, if you still want to keep the directory exclusion the same which would cover all subdirectories of appdata I would recommend using **\AppData\**.exe instead of **\AppData\**\*.exe because the way you have it listed doesn't prevent executables from being created is the root of appdata.