Jeffry 0 Posted February 19 Share Posted February 19 We are getting a lot of code injection detections because our mobile devices have PolicyPak (https://www.policypak.com/) installed. PolicyPak does code injection to be able to do it's "thing" and therefor we get loads of detections like this: Is there a way to make an exclusion for the injected process? So in our case we would like to make an exclusion if the injected process matches ppwatchersvc64.exe (or even better if the executable is signed by "PolicyPak, Inc."). Quote Link to post Share on other sites
Solution Jamil-soc 3 Posted Monday at 10:06 AM Solution Share Posted Monday at 10:06 AM (edited) Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards, Edited Monday at 10:06 AM by Jamil-soc MichalJ and Jeffry 2 Quote Link to post Share on other sites
Jeffry 0 Posted Monday at 12:32 PM Author Share Posted Monday at 12:32 PM Thank you! I was so very very close 😄 I opted to post here so others could also learn from my inability to solve this 🙂 Quote Link to post Share on other sites
Jamil-soc 3 Posted Monday at 01:45 PM Share Posted Monday at 01:45 PM No problem! I'm glad I could help 😃 Quote Link to post Share on other sites
Lockbits 0 Posted Monday at 09:06 PM Share Posted Monday at 09:06 PM 10 hours ago, Jamil-soc said: Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards, Hi, Thank you for this tip. It solved some alerts that were caused by Fortinet VPN client (fcdblog.exe) and I couldn't fixed with basic exclusion wizard. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.