Jump to content

stanley783

Members
  • Posts

    4
  • Joined

  • Last visited

About stanley783

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Slovakia
  1. Hi, i wanted to use this operation in exclusion, but it says it does not exist ('TruncateFile' - an unknown operation type). Is there any option to use FileTruncated that i am unable to write correctly? Lets say i tried this exclusion: <operations> <operation type="TruncateFile"> <operator type="OR"> <condition component="DestFileItem" property="Extension" condition="is" value="dce" /> <condition component="DestFileItem" property="Extension" condition="is" value="blabla" /> </operator> </operation> </operations> Should that be used in other operation or not allowed at all? Thanks.
  2. Hi, trying to create exclusion for alert "AntiVirus Enumeration via WMI query [E1119]", configuring query and (ideally) also invoking process which is pangphip.exe in this case. Below is query i tried but it does not work (this syntax works for CodeInjection operation type but not for WmiQuery). If i remove FileItem condition, leaving only Query condition, it works. Process is svchost.exe and parent is services.exe, other ancestors are purged. Any idea how to change syntax to state i need? Thanks. <definition> <operations> <operation type="WmiQuery"> <operator type="and"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" /> <condition component="FileItem" property="FileName" condition="is" value="pangphip.exe" /> </operator> </operation> </operations> </definition>
×
×
  • Create New...