cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
164
Views
0
Helpful
0
Replies
Highlighted
Beginner

CSA wizard for API events

This is just an FYI.

If you use the wizard to generate an exception rule for API events, sometimes the pattern created isn't correct. For example, you have an ASP.NET application that trips this event:

TESTMODE: The process 'C:\WINDOWS\system32\inetsrv\w3wp.exe' (as user NT AUTHORITY\NETWORK SERVICE) attempted to access a resource which would have resulted in the user being asked the following question. 'The process C:\WINDOWS\system32\inetsrv\w3wp.exe is attempting to invoke a system function from a buffer. Do you wish to allow this?'

And the wizard excludes this pattern:

f643001f7510897b0883c4145f5e5b*\CreateThread\**\CreateThread

You will need to remove the 2nd CreateThread at the end so it looks like this:

f643001f7510897b0883c4145f5e5b*\CreateThread\**

I don't know if this is a bug in the API rules themselves, or in the wizard itself. It only seems to be a problem when its duplicated - if it shows a destination file or another value, then it works fine as-is. Hope this helps someone.

0 REPLIES 0
Content for Community-Ad

This widget could not be displayed.