This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exploit Mitigation custom exclusion

How can I add a new custom application to the exceptions?

This does not seem to help or it is not clear what will happen with the path that I add manually:

I was looking for something like this:

Need to add ROP exclusion for this not so useful detection of unknown root cause.

Summary

Detection name: ROP
Root cause:  Could not find root cause
Possible data involved: no business files


This thread was automatically locked due to age.
  • when you add a path manually, this ends up in the config for the hmaplert.sys driver such that it no longer injects the hmplaert.dll into the process when it is created.

    So after setting the path exclusion, the process would need to restart to not be injected into.

    So:

    Will create on the client:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert the multi_sz reg value PolicyInjectionExclusions which will include:

    c:\program files (x86)\test\test1.exe
    c:\program files\test\test1.exe

    Next time test1.exe starts from the above locations, if it's a 32-bit process: C:\windows\syswow64\hmaplert.dll will not be injected into it.  If it's a 64-bit process C:\windows\system32\hmaplert.dll will not.

  • great explanation! Thank you.

    My mistake was, I forgot to disable the blue toggle below:

    Now it's there.

    and i can see the whitelisted items in the reg key you mentioned!