How can I add a new custom application to the exceptions?
This does not seem to help or it is not clear what will happen with the path that I add manually:
I was looking for something like this:
Need to add ROP exclusion for this not so useful detection of unknown root cause.
Summary
when you add a path manually, this ends up in the config for the hmaplert.sys driver such that it no longer injects the hmplaert.dll into the process when it is created.
So after setting the path exclusion, the process would need to restart to not be injected into.
So:
Will create on the client:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert the multi_sz reg value PolicyInjectionExclusions which will include:
c:\program files (x86)\test\test1.exe
c:\program files\test\test1.exe
Next time test1.exe starts from the above locations, if it's a 32-bit process: C:\windows\syswow64\hmaplert.dll will not be injected into it. If it's a 64-bit process C:\windows\system32\hmaplert.dll will not.
when you add a path manually, this ends up in the config for the hmaplert.sys driver such that it no longer injects the hmplaert.dll into the process when it is created.
So after setting the path exclusion, the process would need to restart to not be injected into.
So:
Will create on the client:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert the multi_sz reg value PolicyInjectionExclusions which will include:
c:\program files (x86)\test\test1.exe
c:\program files\test\test1.exe
Next time test1.exe starts from the above locations, if it's a 32-bit process: C:\windows\syswow64\hmaplert.dll will not be injected into it. If it's a 64-bit process C:\windows\system32\hmaplert.dll will not.
great explanation! Thank you.
My mistake was, I forgot to disable the blue toggle below:
Now it's there.
and i can see the whitelisted items in the reg key you mentioned!
