stanley783
-
Posts
4 -
Joined
-
Last visited
Kudos
-
stanley783 gave kudos to JamesR in FileTruncated operation
"TruncateFile" is an operation which falls under "WriteFile" (yes, annoying that it isn't clearly labeled as such). But you should be able to modify your exclusion as follows to allow it to work.
<operations> <operation type="WriteFile"> <operator type="OR"> <condition component="DestFileItem" property="Extension" condition="is" value="dce" /> <condition component="DestFileItem" property="Extension" condition="is" value="blabla" /> </operator> </operation> </operations>
-
stanley783 gave kudos to JamesR in EEI WmiQuery exception including invoking process
I made a tiny adjustment to your exclusion, can you try the below to see if it works? In short, I changed "FileItem" to "ClientFileItem".
<definition> <operations> <operation type="WmiQuery"> <operator type="and"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" /> <condition component="ClientFileItem" property="FileName" condition="is" value="pangphip.exe" /> </operator> </operation> </operations> </definition>