Jump to content

Create exclusion for code injection rule

Jeffry
 Share
Go to solution Solved by Jamil-soc,

Recommended Posts

Jeffry

Jeffry 0

Posted
Posted

We are getting a lot of code injection detections because our mobile devices have PolicyPak (https://www.policypak.com/) installed. PolicyPak does code injection to be able to do it's "thing" and therefor we get loads of detections like this:

image.thumb.png.541f9d8672879a845d29f54bd4949316.png

 

Is there a way to make an exclusion for the injected process? So in our case we would like to make an exclusion if the injected process matches ppwatchersvc64.exe (or even better if the executable is signed by "PolicyPak, Inc.").

Link to comment
Share on other sites
  • Solution
Jamil-soc

Jamil-soc 4

Posted
  • Solution
Posted (edited)

Hi Jeffry,

 

Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.

Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:

<definition>
            <operations>
                <operation type="CodeInjection">
                    <operator type="and">
                        <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                        <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                        <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                    </operator>
                </operation>
            </operations>
</definition>

 

Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.

I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket

Best regards,

Selection_122.png

Edited by Jamil-soc
Link to comment
Share on other sites
Lockbits

Lockbits 10

Posted
Posted
10 hours ago, Jamil-soc said:

Hi Jeffry,

 

Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.

Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:

<definition>
            <operations>
                <operation type="CodeInjection">
                    <operator type="and">
                        <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                        <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                        <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                    </operator>
                </operation>
            </operations>
</definition>

 

Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.

I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket

Best regards,

Selection_122.png

Hi,

Thank you for this tip. It solved some alerts that were caused by Fortinet VPN client (fcdblog.exe) and I couldn't fixed with basic exclusion wizard.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...