Hello Alex,

Regarding question 1, my experience has been those exclusions in the policy.xml file have to be developed and tested with TAC and then are deployed by the Cisco backend team to your entire environment. These are not user configurable. I recently had a TAC case because of a false positive detection involving the Exploit Prevention Script Control during the installation of one specific application.

During that case what I learned was that the Script Control rules are made up of two components. The first entry in the rule is the executable name.  Following that is a list of dll's that script control is monitoring that executable using.

In the example below Script Control is monitoring "WINWORD.EXE" for the use of the following dll's: "wbemdisp.dll", "System.Management.Automation.dll", and "System.Management.Automation.ni.dll".

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<Object Id="obj-XXXXXXXXXX"><config type="policy">
      <v5>
        <script_control>
          <rule>WINWORD.EXE|wbemdisp.dll|System.Management.Automation.dll|System.Management.Automation.ni.dll</rule>
        </script_control>
      </v5>
    </exprev>
</config></Object>
</Signature>

Modification to the Script Control rules means removing the monitoring for the executable files use of that dll. You cannot for instance allow list a specific Microsoft Word document to launch a script, you would have to remove the monitoring for Microsoft Word launching a dll that launches a script from your entire organization.

Hope that helps with your first question.