Jump to content

Create exclusion for code injection rule


Go to solution Solved by Jamil-soc,

Recommended Posts

We are getting a lot of code injection detections because our mobile devices have PolicyPak (https://www.policypak.com/) installed. PolicyPak does code injection to be able to do it's "thing" and therefor we get loads of detections like this:

image.thumb.png.541f9d8672879a845d29f54bd4949316.png

 

Is there a way to make an exclusion for the injected process? So in our case we would like to make an exclusion if the injected process matches ppwatchersvc64.exe (or even better if the executable is signed by "PolicyPak, Inc.").

Link to comment
Share on other sites

  • Solution

Hi Jeffry,

 

Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.

Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:

<definition>
            <operations>
                <operation type="CodeInjection">
                    <operator type="and">
                        <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                        <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                        <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                    </operator>
                </operation>
            </operations>
</definition>

 

Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.

I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket

Best regards,

Selection_122.png

Edited by Jamil-soc
Link to comment
Share on other sites

Thank you!   I was so very very close 😄

I opted to post here so others could also learn from my inability to solve this 🙂

Link to comment
Share on other sites

10 hours ago, Jamil-soc said:

Hi Jeffry,

 

Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.

Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:

<definition>
            <operations>
                <operation type="CodeInjection">
                    <operator type="and">
                        <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                        <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                        <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                    </operator>
                </operation>
            </operations>
</definition>

 

Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.

I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket

Best regards,

Selection_122.png

Hi,

Thank you for this tip. It solved some alerts that were caused by Fortinet VPN client (fcdblog.exe) and I couldn't fixed with basic exclusion wizard.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...