We have a message in the Event Log about a Kernel functionality being modified by the module:
\\??\Windows\system32\drivers\mkbd.sys is monitoring the keyboard.
Any idea what the "??" mean? We can't use the wizard to tune it.
Thanks in advance.
Thanks for the reply.
When we try to whitelist via the Wizard the CSAMC throws an error and doesn't allow this operation to procede.
I am opening a TAC case and will post results.
You could manually write a rule using **\Windows\system32\drivers\mkbd.sys as a definition for the application. I suspect that @system would work as well. Just create an application class and add that as an exception to the triggering rule.