Jump to content

IsuruSam

Members
  • Posts

    3
  • Joined

  • Last visited

Kudos

  1. Upvote
    IsuruSam gave kudos to JamesR in Issue with detections on Windows Terminal Server   
    @isuruSam  You would simply need to alter the advanced exclusion to meet your needs.  This means you would have the following options to base your exclusion off of.
     
    You may want to exclude all processes which are of higher global reputation, which means only less reputable applications will trigger when injecting into MSTSC.exe:
    <definition> <process> <!-- Only exclude if the executable has a good global reputation (LiveGrid Rep) and has been seen globally on 100 or more computers --> <!-- You may need to change these numbers based on what you are seeing in your own environment --> <operator type="AND"> <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="8"/> <condition component="LiveGrid" property="Popularity" condition="greaterOrEqual" value="100"/> </operator> </process> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition>  
    If to many different processes are causing this to trigger, on the vast majority of computers, then you may want to exclude any process injecting into mstsc.exe.  This means if something malicious does inject into mstsc.exe, you will not see it, but if MSTSC.exe starts doing other actions that are dangerous, you will still see those:
    <definition> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition> In the end, the final decision on how to exclude is yours to decide.  Feel free to use these examples as a base for building your own exclusion.  Hopefully this helps you out.
  2. Upvote
    IsuruSam gave kudos to JamesR in Injection into system process [F0413b][C] - False positives for MSTSC.EXE   
    Should be answered here: 
     
×
×
  • Create New...