Forum Discussion
Solved
Adding ASR rule exclusions based on command line
Hello, I was wondering if it is possible to exclude a process from being blocked if a specific file is observed in its command-line ? We have a situation where the ''AsrPsexecWmiChildProcessAudi...
- Princely, have you looked at submitting a FP to aka.ms/WDSI? Click on "ASR rules & network protection feedback" -> "Attack surface reduction rules" -> "Enterprise customer" -> "Continue" -> click on "Accept" (to the EULA) -> Fill in the info and submit. Thank you, Yong
yongrheemsft
Microsoft
MicrosoftPrincely, have you looked at submitting a FP to aka.ms/WDSI? Click on "ASR rules & network protection feedback" -> "Attack surface reduction rules" -> "Enterprise customer" -> "Continue" -> click on "Accept" (to the EULA) -> Fill in the info and submit. Thank you, Yong
yongrheemsft
Thanks for the suggestion.
I am not sure which file should be uploaded to aka.ms/WDSI as the process observed i.e. msiexec.exe is too generic to be whitelisted and the installer file "xxx.msi" doesn't show up as a child process in this activity(it only shows up in the ProcessCommandLine for msiexec.exe). So I don't see how submitting "xxx.msi" as a false positive would stop triggering the "AsrPsexecWmiChildProcessAudited" event.
Regards,
Princely Dmello
Thanks for the suggestion.
I am not sure which file should be uploaded to aka.ms/WDSI as the process observed i.e. msiexec.exe is too generic to be whitelisted and the installer file "xxx.msi" doesn't show up as a child process in this activity(it only shows up in the ProcessCommandLine for msiexec.exe). So I don't see how submitting "xxx.msi" as a false positive would stop triggering the "AsrPsexecWmiChildProcessAudited" event.
Regards,
Princely Dmello