Creating exclusions for two rules with two different operations in exclusion

[Michael002 0]

Hello,

 

I would like to ask, if I want to create an exclusion for two different rules that have different trigger events, let's say I would like to add into exclusion CodeInjection for rule [F0413b][C] and for rule [D1206] I would like to add trigger event DllLoaded into exclusion. Is it possible to add two operations like this into the exclusions?

[JamesR 52]

I would not recommend this.  When you create an advanced exclusion, which will use an <operation type="...">, you should have it match the operation type of the triggering event.  If you try to use an exclusion with a "DllLoad" operation, and apply the exclusion to a rule which is looking for "CodeInjection", your exclusion will not work as expected.  In short, mixing and matching different operations in an exclusion, can break your exclusion.

 

Also, it appears you may be using an older version of our On Premise solution.  I would recommend upgrading when you can.  The rule tag "[F0413b][C]" is outdated and has been replaced with "[F0413b]".

[Michael002 0]

Thank you for your response. So the conclusion of it is to separate them and create one exclusion for [F0413b][C] and one exclusion for [D1206]? Just to be sure. And thank you for the update reminder... I know about it.

[JamesR 52]

1 minute ago, Michael002 said:

Thank you for your response. So the conclusion of it is to separate them and create one exclusion for [F0413b][C] and one exclusion for [D1206]? Just to be sure. And thank you for the update reminder... I know about it.

Correct.  Its best to separate into 2 different exclusions.

[Michael002 0]

Thank you for clarifying.