Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KAV exclusion #190

Open
PiRomant opened this issue Nov 3, 2023 · 0 comments
Open

KAV exclusion #190

PiRomant opened this issue Nov 3, 2023 · 0 comments

Comments

@PiRomant
Copy link

PiRomant commented Nov 3, 2023

A lot of flood by

Process accessed:
RuleName: technique_id=T1055,technique_name=Process Injection
SourceImage: C:\Program Files (x86)\Kaspersky Lab\KES.12.2.0\avp.exe

It would be better to exclude directory C:\Program Files (x86)\Kaspersky Lab\, because various Kaspersky Lab security tools are located there.

C:\Program Files (x86)\Kaspersky Lab\KES.12.2.0
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows Server
C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent
C:\Program Files (x86)\Kaspersky Lab\NetworkAgent

I also suggest changing the path here too:

sysmon-modular/12_13_14_registry_event/exclude_kaspersky_lab_internet_security.xml

Lines 5 to 6 in a9ff298

<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security </Image>
<Image condition="begin with">C:\Program Files\Kaspersky Lab\Kaspersky Internet Security </Image>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PiRomant