Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 14 subscribers
  • Views 18138 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How work the 3 Exclusion for Mitigation Exploit?

FabioTerrone

I mean there 3 place where to apply exclusion for mitigation.

1 inside Base Policy Add Exclusion select Detected Exploit

2  inside Setting Exploit Mitigation Exclusion

3 inside Settings General Scanning Exclusion again Add Exclusion select detected Exploit

 

It seems are 3 different layers.

Which is the gerarchy ?

Who wins?



This thread was automatically locked due to age.
Parents

  • I'll try and answer this. I'm going to change your order here as well:

     

    In order of applicable settings:

     

    1) Exploit Mitigation Exclusion - This excludes the application from any detections from Intercept X. It stops Intercept X loading on the process much earlier than other methods.

    2) Both the Policy detected exploit and global general scanning exclusion apply at the same time, as the two are merged when sent out to endpoints for policy. The key difference is that for these exclusions, they are specific to the application, trigger, and type of detection. This means that if you are getting a detection for say LoadLib on Internet Explorer, and exclude it via this method, then later have a Lockdown detection, it will still trigger the Lockdown detection.

     

    So it is recommended to use a detected exploit exclusion, as this is much more specific, and is the narrowest opening possible to add an exclusion. Additionally, not all software will be available for selection in Exploit Mitigation Exclusions, as only certain software configurations are detected for this list.

Reply

  • I'll try and answer this. I'm going to change your order here as well:

     

    In order of applicable settings:

     

    1) Exploit Mitigation Exclusion - This excludes the application from any detections from Intercept X. It stops Intercept X loading on the process much earlier than other methods.

    2) Both the Policy detected exploit and global general scanning exclusion apply at the same time, as the two are merged when sent out to endpoints for policy. The key difference is that for these exclusions, they are specific to the application, trigger, and type of detection. This means that if you are getting a detection for say LoadLib on Internet Explorer, and exclude it via this method, then later have a Lockdown detection, it will still trigger the Lockdown detection.

     

    So it is recommended to use a detected exploit exclusion, as this is much more specific, and is the narrowest opening possible to add an exclusion. Additionally, not all software will be available for selection in Exploit Mitigation Exclusions, as only certain software configurations are detected for this list.

Children
No Data
Unfiltered HTML