Jump to content

Create exclusion for code injection rule


Go to solution Solved by Jamil-soc,

Recommended Posts

We are getting a lot of code injection detections because our mobile devices have PolicyPak (https://www.policypak.com/) installed. PolicyPak does code injection to be able to do it's "thing" and therefor we get loads of detections like this:

image.thumb.png.541f9d8672879a845d29f54bd4949316.png

 

Is there a way to make an exclusion for the injected process? So in our case we would like to make an exclusion if the injected process matches ppwatchersvc64.exe (or even better if the executable is signed by "PolicyPak, Inc.").

Link to post
Share on other sites
  • Solution

Hi Jeffry,

 

Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.

Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:

<definition>
            <operations>
                <operation type="CodeInjection">
                    <operator type="and">
                        <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                        <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                        <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                    </operator>
                </operation>
            </operations>
</definition>

 

Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.

I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket

Best regards,

Selection_122.png

Edited by Jamil-soc
Link to post
Share on other sites
10 hours ago, Jamil-soc said:

Hi Jeffry,

 

Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.

Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:

<definition>
            <operations>
                <operation type="CodeInjection">
                    <operator type="and">
                        <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                        <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                        <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                    </operator>
                </operation>
            </operations>
</definition>

 

Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.

I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket

Best regards,

Selection_122.png

Hi,

Thank you for this tip. It solved some alerts that were caused by Fortinet VPN client (fcdblog.exe) and I couldn't fixed with basic exclusion wizard.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...