Exploit Mitigation custom exclusion

How can I add a new custom application to the exceptions?

This does not seem to help or it is not clear what will happen with the path that I add manually:

I was looking for something like this:

Need to add ROP exclusion for this not so useful detection of unknown root cause.


Detection name: ROP
Root cause:  Could not find root cause
Possible data involved: no business files

Edited TAGs
[edited by: Gladys at 3:10 PM (GMT -8) on 19 Jan 2023]
  • when you add a path manually, this ends up in the config for the hmaplert.sys driver such that it no longer injects the hmplaert.dll into the process when it is created.

    So after setting the path exclusion, the process would need to restart to not be injected into.


    Will create on the client:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert the multi_sz reg value PolicyInjectionExclusions which will include:

    c:\program files (x86)\test\test1.exe
    c:\program files\test\test1.exe

    Next time test1.exe starts from the above locations, if it's a 32-bit process: C:\windows\syswow64\hmaplert.dll will not be injected into it.  If it's a 64-bit process C:\windows\system32\hmaplert.dll will not.

  • great explanation! Thank you.

    My mistake was, I forgot to disable the blue toggle below:

    Now it's there.

    and i can see the whitelisted items in the reg key you mentioned!