Jump to content

Recommended Posts

Posted

Hi,

trying to create exclusion for alert "AntiVirus Enumeration via WMI query [E1119]", configuring query and (ideally) also invoking process which is pangphip.exe in this case. Below is query i tried but it does not work (this syntax works for CodeInjection operation type but not for WmiQuery). If i remove FileItem condition, leaving only Query condition, it works. Process is svchost.exe and parent is services.exe, other ancestors are purged. Any idea how to change syntax to state i need? Thanks.

 

<definition>
        <operations>
            <operation type="WmiQuery">
                <operator type="and">
                    <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" />
                    <condition component="FileItem" property="FileName" condition="is" value="pangphip.exe" />
                </operator>
            </operation>
        </operations>
    </definition>

pangphip-exclusion.png

  • ESET Staff
  • Solution
Posted

I made a tiny adjustment to your exclusion, can you try the below to see if it works?  In short, I changed "FileItem" to "ClientFileItem".

 

<definition>
    <operations>
        <operation type="WmiQuery">
            <operator type="and">
                <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" />
                <condition component="ClientFileItem" property="FileName" condition="is" value="pangphip.exe" />
            </operator>
        </operation>
    </operations>
</definition>

 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...