Jeffry 0 Posted February 19, 2021 Share Posted February 19, 2021 We are getting a lot of code injection detections because our mobile devices have PolicyPak (https://www.policypak.com/) installed. PolicyPak does code injection to be able to do it's "thing" and therefor we get loads of detections like this: Is there a way to make an exclusion for the injected process? So in our case we would like to make an exclusion if the injected process matches ppwatchersvc64.exe (or even better if the executable is signed by "PolicyPak, Inc."). Link to comment Share on other sites More sharing options...
Solution Jamil-soc 4 Posted February 22, 2021 Solution Share Posted February 22, 2021 (edited) Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards, Edited February 22, 2021 by Jamil-soc MichalJ and Jeffry 2 Link to comment Share on other sites More sharing options...
Jeffry 0 Posted February 22, 2021 Author Share Posted February 22, 2021 Thank you! I was so very very close 😄 I opted to post here so others could also learn from my inability to solve this 🙂 Link to comment Share on other sites More sharing options...
Jamil-soc 4 Posted February 22, 2021 Share Posted February 22, 2021 No problem! I'm glad I could help 😃 Link to comment Share on other sites More sharing options...
Lockbits 10 Posted February 22, 2021 Share Posted February 22, 2021 10 hours ago, Jamil-soc said: Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards, Hi, Thank you for this tip. It solved some alerts that were caused by Fortinet VPN client (fcdblog.exe) and I couldn't fixed with basic exclusion wizard. Link to comment Share on other sites More sharing options...
Recommended Posts