stanley783 0 Posted June 6, 2022 Share Posted June 6, 2022 Hi, trying to create exclusion for alert "AntiVirus Enumeration via WMI query [E1119]", configuring query and (ideally) also invoking process which is pangphip.exe in this case. Below is query i tried but it does not work (this syntax works for CodeInjection operation type but not for WmiQuery). If i remove FileItem condition, leaving only Query condition, it works. Process is svchost.exe and parent is services.exe, other ancestors are purged. Any idea how to change syntax to state i need? Thanks. <definition> <operations> <operation type="WmiQuery"> <operator type="and"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" /> <condition component="FileItem" property="FileName" condition="is" value="pangphip.exe" /> </operator> </operation> </operations> </definition> Link to comment Share on other sites More sharing options...
ESET Staff Solution JamesR 52 Posted June 6, 2022 ESET Staff Solution Share Posted June 6, 2022 I made a tiny adjustment to your exclusion, can you try the below to see if it works? In short, I changed "FileItem" to "ClientFileItem". <definition> <operations> <operation type="WmiQuery"> <operator type="and"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" /> <condition component="ClientFileItem" property="FileName" condition="is" value="pangphip.exe" /> </operator> </operation> </operations> </definition> stanley783 1 Link to comment Share on other sites More sharing options...
stanley783 0 Posted June 7, 2022 Author Share Posted June 7, 2022 Yes, that worked. Thank you very much. Link to comment Share on other sites More sharing options...
Recommended Posts