Environment
- EDR Server: 7.6.1 and higher
- EDR Windows Sensor: 7.3.0 and higher
Question
Why are events continuing to appear after Windows exclusions have been added to the sensor group?
Answer
- This is expected. The Regmods, Filemods and Modloads totals should be blank for the event, yet each processes create, terminate and child messages are sent to the server for data integrity and comprehensive tree view.
- If excluded Events appear with Regmods, Filemods and/or Modloads, check the executable path provided for case sensitivity and spelling.
Additional Notes
- The process exclusion can be configured to not report regmods, filemods and modloads.
- The network connections continue to be recorded also and are on the roadmap for future release.
Related Content