stanley783 0 Posted June 6, 2022 Posted June 6, 2022 Hi, trying to create exclusion for alert "AntiVirus Enumeration via WMI query [E1119]", configuring query and (ideally) also invoking process which is pangphip.exe in this case. Below is query i tried but it does not work (this syntax works for CodeInjection operation type but not for WmiQuery). If i remove FileItem condition, leaving only Query condition, it works. Process is svchost.exe and parent is services.exe, other ancestors are purged. Any idea how to change syntax to state i need? Thanks. <definition> <operations> <operation type="WmiQuery"> <operator type="and"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" /> <condition component="FileItem" property="FileName" condition="is" value="pangphip.exe" /> </operator> </operation> </operations> </definition>
ESET Staff Solution JamesR 58 Posted June 6, 2022 ESET Staff Solution Posted June 6, 2022 I made a tiny adjustment to your exclusion, can you try the below to see if it works? In short, I changed "FileItem" to "ClientFileItem". <definition> <operations> <operation type="WmiQuery"> <operator type="and"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" /> <condition component="ClientFileItem" property="FileName" condition="is" value="pangphip.exe" /> </operator> </operation> </operations> </definition> stanley783 1
Recommended Posts